Skip to content

Latest commit

 

History

History
72 lines (32 loc) · 2.03 KB

T1547.007.md

File metadata and controls

72 lines (32 loc) · 2.03 KB

T1547.007 - Re-opened Applications

Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist.

An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).

Atomic Tests


Atomic Test #1 - Re-Opened Applications

Plist Method

Reference

Supported Platforms: macOS

Run it with these steps!

  1. create a custom plist:

    ~/Library/Preferences/com.apple.loginwindow.plist

or

~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist


Atomic Test #2 - Re-Opened Applications

Mac Defaults

Reference

Supported Platforms: macOS

Inputs:

Name Description Type Default Value
script path to script path /path/to/script

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo defaults write com.apple.loginwindow LoginHook #{script}