T1547.007 Elastic Security · Elastic

Detect Re-opened Applications in Elastic Security

Adversaries may modify plist files to automatically run an application when a user logs in on macOS. When a user logs out or restarts via the macOS GUI, a prompt with a checkbox to 'Reopen windows when logging back in' causes all currently open applications to be added to a property list file named com.apple.loginwindow.[UUID].plist within ~/Library/Preferences/ByHost/. Adversaries can establish persistence by adding a malicious application path to this plist file to execute payloads when a user logs in.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.007 Re-opened Applications
Canonical reference
https://attack.mitre.org/techniques/T1547/007/

Elastic Detection Query

Elastic Security (Elastic)
eql 
file where host.os.type == "macos" and event.action in ("creation", "modification") and file.name like "com.apple.loginwindow.*" and file.path like "*/Library/Preferences/ByHost/*"
medium severity medium confidence

Detects creation or modification of com.apple.loginwindow plist files in the macOS ByHost preferences directory, which adversaries can use to establish persistence by adding malicious application paths that execute at user login.

Data Sources

Elastic Agent (macOS endpoint)Auditbeat file integrity monitoring

Required Tables

logs-endpoint.events.file-*auditbeat-*

False Positives & Tuning

  • Legitimate macOS session restore behavior when users log out with 'Reopen windows when logging back in' checkbox enabled
  • System preference management tools or MDM solutions (Jamf, Mosyle) modifying login window preferences during policy enforcement
  • macOS system updates or OS upgrades that regenerate loginwindow plist files during upgrade process
Download portable Sigma rule (.yml)

Other platforms for T1547.007

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Application to Loginwindow Plist via defaults

    Expected signal: File modification event for com.apple.loginwindow plist. Process creation for defaults command with the write arguments.

  2. Test 2Read Current Loginwindow Plist

    Expected signal: Process creation event for plutil. No file modification events.

  3. Test 3Modify Loginwindow Plist via AppleScript

    Expected signal: Process creation for osascript. File modification event for loginwindow plist. The osascript parent process is a strong indicator.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1547.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.005Security Support ProviderT1547.006Kernel Modules and ExtensionsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.012Print ProcessorsT1547.013XDG Autostart EntriesT1547.014Active SetupT1547.015Login Items

Related Techniques

T1547Boot or Logon Autostart ExecutionT1547.015Login ItemsT1543.004Launch DaemonT1543.001Launch AgentT1059.002AppleScript

Same Tactic: Persistence

Popular Detections