Boot or Logon Autostart Execution: Plist Modification
Other sub-techniques of Boot or Logon Autostart Execution (14)
Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as
/Library/Preferences (which execute with elevated privileges) and
~/Library/Preferences (which execute with a user's privileges).
Adversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.
A specific plist used for execution at login is
com.apple.loginitems.plist. Applications under this plist run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them. Users have direct control over login items installed using a shared file list which are also visible in System Preferences . Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to "hide" the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in  . The API method
SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like AppleScript can do this as well. 
LoudMiner used plists to execute shell scripts and maintain persistence on boot. LoudMiner also added plist files in
|M1022||Restrict File and Directory Permissions||
Prevent plist files from being modified by users by making them read-only.
Holding the shift key during login prevents apps from opening automatically. 
File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like "Knock Knock" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.
All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in
Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.
Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
- Apple. (2016, September 13). Adding Login Items. Retrieved July 11, 2017.
- Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.
- Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017.