Detect Re-opened Applications in Google Chronicle
Adversaries may modify plist files to automatically run an application when a user logs in on macOS. When a user logs out or restarts via the macOS GUI, a prompt with a checkbox to 'Reopen windows when logging back in' causes all currently open applications to be added to a property list file named com.apple.loginwindow.[UUID].plist within ~/Library/Preferences/ByHost/. Adversaries can establish persistence by adding a malicious application path to this plist file to execute payloads when a user logs in.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.007 Re-opened Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1547/007/
YARA-L Detection Query
rule macos_loginwindow_plist_persistence {
meta:
author = "Detection Engineering"
description = "Detects creation or modification of macOS loginwindow plist files used for re-opened application persistence (T1547.007)"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1547.007"
severity = "MEDIUM"
confidence = "MEDIUM"
events:
$e.metadata.event_type = "FILE_CREATION" or $e.metadata.event_type = "FILE_MODIFICATION"
$e.target.file.full_path = /\/Library\/Preferences\/ByHost\/com\.apple\.loginwindow\./
$e.principal.asset.platform_software.platform = "LINUX" or
$e.principal.asset.platform_software.platform = "MAC"
condition:
$e
}Chronicle YARA-L 2.0 rule detecting file creation or modification events targeting com.apple.loginwindow plist files in macOS ByHost directory. Monitors for adversarial persistence via the re-opened applications mechanism.
Data Sources
Required Tables
False Positives & Tuning
- Normal macOS GUI logout with session restore checkbox resulting in routine plist file writes
- MDM-managed Macs with policies that periodically reset or manage login window preferences (Jamf, Mosyle, Kandji)
- User-initiated application management or macOS system migration tools that read/write ByHost preferences
Other platforms for T1547.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Application to Loginwindow Plist via defaults
Expected signal: File modification event for com.apple.loginwindow plist. Process creation for defaults command with the write arguments.
- Test 2Read Current Loginwindow Plist
Expected signal: Process creation event for plutil. No file modification events.
- Test 3Modify Loginwindow Plist via AppleScript
Expected signal: Process creation for osascript. File modification event for loginwindow plist. The osascript parent process is a strong indicator.
References (5)
- https://attack.mitre.org/techniques/T1547/007/
- https://support.apple.com/en-us/HT204005
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md
Unlock Pro Content
Get the full detection package for T1547.007 including response playbook, investigation guide, and atomic red team tests.