Boot or Logon Autostart Execution: Re-opened Applications

Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/ and ~/Library/Preferences/ByHost/* .plist.

An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine [1].

ID: T1547.007
Sub-technique of:  T1547
Platforms: macOS
Permissions Required: User
Data Sources: Command: Command Execution, File: File Modification
Version: 1.0
Created: 24 January 2020
Last Modified: 24 January 2020


ID Mitigation Description
M1042 Disable or Remove Feature or Program

This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.

M1017 User Training

Holding the Shift key while logging in prevents apps from opening automatically. [2]


Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.