The sub-techniques beta is now live! Read the release blog post for more info.

Re-opened Applications

Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/ and ~/Library/Preferences/ByHost/* .plist.

An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine [1].

ID: T1164
Tactic: Persistence
Platform: macOS
Permissions Required: User
Data Sources: File monitoring
Version: 1.1
Created: 14 December 2017
Last Modified: 25 June 2019


Mitigation Description
Disable or Remove Feature or Program

This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.

User Training

Holding the Shift key while logging in prevents apps from opening automatically.


Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.