Boot or Logon Autostart Execution: Plist Modification

Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges).

Adversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.[1]

A specific plist used for execution at login is com.apple.loginitems.plist.[2] Applications under this plist run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them.[3] Users have direct control over login items installed using a shared file list which are also visible in System Preferences [3]. Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to "hide" the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in [4] [5]. The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like AppleScript can do this as well. [3]

ID: T1547.011
Sub-technique of:  T1547
Tactics: Persistence, Privilege Escalation
Platforms: macOS
Permissions Required: Administrator, User
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Version: 1.0
Created: 24 January 2020
Last Modified: 20 June 2020

Procedure Examples

Name Description
Dok

Dok persists via a plist login item.[7]

LoudMiner

LoudMiner used plists to execute shell scripts and maintain persistence on boot. LoudMiner also added plist files in /Library/LaunchDaemons with KeepAlive set to true, which would restart the process if stopped.[8]

Mitigations

Mitigation Description
Restrict File and Directory Permissions

Prevent plist files from being modified by users by making them read-only.

User Training

Holding the shift key during login prevents apps from opening automatically. [6]

Detection

File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like "Knock Knock" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.

All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.[3]

Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.

References