|T1547.001||Registry Run Keys / Startup Folder|
|T1547.004||Winlogon Helper DLL|
|T1547.005||Security Support Provider|
|T1547.006||Kernel Modules and Extensions|
|T1547.013||XDG Autostart Entries|
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in". When selected, all applications currently open are added to a property list file named
com.apple.loginwindow.[UUID].plist within the
~/Library/Preferences/ByHost directory. Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the
com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.
|M1042||Disable or Remove Feature or Program||
This feature can be disabled entirely with the following terminal command:
Holding the Shift key while logging in prevents apps from opening automatically.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may modify plist files to automatically run an application when a user logs in.
Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.