Boot or Logon Autostart Execution: Re-opened Applications

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".[1] When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.[2][3] Applications listed in this file are automatically reopened upon the user’s next logon.

Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.

ID: T1547.007
Sub-technique of:  T1547
Platforms: macOS
Permissions Required: User
Version: 1.1
Created: 24 January 2020
Last Modified: 19 April 2022

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.

M1017 User Training

Holding the Shift key while logging in prevents apps from opening automatically.[1]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may modify plist files to automatically run an application when a user logs in.

DS0022 File File Modification

Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.

References