Re-opened Applications

DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has "Library/Preferences/ByHost"
| where FileName startswith "com.apple.loginwindow."
| where ActionType in ("FileModified", "FileCreated")
| project Timestamp, DeviceName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| sort by Timestamp desc

index=macos sourcetype="osquery:results" name="file_events"
  target_path="*/Library/Preferences/ByHost/com.apple.loginwindow.*"
  action="UPDATED" OR action="CREATED"
| table _time, host, target_path, action, md5, sha256
| sort - _time

file where host.os.type == "macos" and event.action in ("creation", "modification") and file.name like "com.apple.loginwindow.*" and file.path like "*/Library/Preferences/ByHost/*"

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time, sourceip, username, "filepath", "filename", QIDNAME(qid) AS event_name, logsourcename(logSourceId) AS log_source FROM events WHERE LOGSOURCETYPEID(logSourceId) IN (SELECT id FROM SYS.LOGSOURCETYPES WHERE name ILIKE '%macOS%' OR name ILIKE '%osquery%' OR name ILIKE '%Elastic%') AND ("filepath" ILIKE '%/Library/Preferences/ByHost/%' OR "filename" ILIKE 'com.apple.loginwindow.%.plist') AND CATEGORYNAME(category) ILIKE '%file%' AND devicetime > (CURRENT_TIMESTAMP - 86400000) ORDER BY devicetime DESC

_sourceCategory=macos* OR _sourceCategory=osquery* OR _sourceCategory=endpoint* "com.apple.loginwindow" "Library/Preferences/ByHost"
| parse field=target_path "*/Library/Preferences/ByHost/*" as pref_path nodrop
| parse field=message "com.apple.loginwindow.*" as loginwindow_file nodrop
| where (action = "UPDATED" OR action = "CREATED" OR action = "MODIFIED" OR action = "FileCreated" OR action = "FileModified")
| where target_path matches "*/Library/Preferences/ByHost/com.apple.loginwindow*"
| fields _time, host, target_path, action, md5, sha256, user
| sort - _time

rule macos_loginwindow_plist_persistence {
  meta:
    author = "Detection Engineering"
    description = "Detects creation or modification of macOS loginwindow plist files used for re-opened application persistence (T1547.007)"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1547.007"
    severity = "MEDIUM"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "FILE_CREATION" or $e.metadata.event_type = "FILE_MODIFICATION"
    $e.target.file.full_path = /\/Library\/Preferences\/ByHost\/com\.apple\.loginwindow\./
    $e.principal.asset.platform_software.platform = "LINUX" or
    $e.principal.asset.platform_software.platform = "MAC"

  condition:
    $e
}

#event_simpleName=WriteFile OR #event_simpleName=PeFileWritten
| TargetFileName = /Library\/Preferences\/ByHost\/com\.apple\.loginwindow\./
| select([_time, ComputerName, UserName, TargetFileName, FilePath, ContextProcessName, ContextCommandLine, SHA256HashData])
| sort(field=_time, order=desc)