Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".[1] When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.[2][3] Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
This feature can be disabled entirely with the following terminal command: |
| M1017 | User Training |
Holding the Shift key while logging in prevents apps from opening automatically.[1] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0125 | Detect persistence via reopened application plist modification (macOS) | AN0349 |
Unusual modification or creation of loginwindow-related plist files in '~/Library/Preferences/ByHost' correlated with unauthorized application paths and execution upon login. |