Which SIEM platforms have a T1547.007 detection rule?

df00tech provides T1547.007 (Re-opened Applications) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Re-opened Applications (T1547.007)?

Detecting Re-opened Applications requires the following data sources: File: File Modification, File: File Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1547.007 detection?

The T1547.007 detection is rated medium severity with medium confidence.

What are common false positives for T1547.007?

Common false positives for T1547.007 include: Normal macOS logon/logoff cycle modifying the loginwindow plist via the loginwindow process; Users manually toggling the 'Reopen windows when logging back in' checkbox in System Preferences; macOS system updates that modify loginwindow preferences.

T1547.007 CrowdStrike LogScale · LogScale

Detect Re-opened Applications in CrowdStrike LogScale

Adversaries may modify plist files to automatically run an application when a user logs in on macOS. When a user logs out or restarts via the macOS GUI, a prompt with a checkbox to 'Reopen windows when logging back in' causes all currently open applications to be added to a property list file named com.apple.loginwindow.[UUID].plist within ~/Library/Preferences/ByHost/. Adversaries can establish persistence by adding a malicious application path to this plist file to execute payloads when a user logs in.

MITRE ATT&CK

Tactic: Persistence Privilege Escalation
Technique: T1547 Boot or Logon Autostart Execution
Sub-technique: T1547.007 Re-opened Applications
Canonical reference: https://attack.mitre.org/techniques/T1547/007/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

#event_simpleName=WriteFile OR #event_simpleName=PeFileWritten
| TargetFileName = /Library\/Preferences\/ByHost\/com\.apple\.loginwindow\./
| select([_time, ComputerName, UserName, TargetFileName, FilePath, ContextProcessName, ContextCommandLine, SHA256HashData])
| sort(field=_time, order=desc)

medium severity medium confidence

Detects file write events targeting macOS loginwindow plist files in the ByHost preferences directory using CrowdStrike Falcon telemetry. Identifies potential persistence establishment via T1547.007 re-opened applications technique.

Data Sources

CrowdStrike Falcon sensor (macOS)Falcon Data Replicator file events

Required Tables

WriteFile eventsPeFileWritten events from Falcon macOS sensor

False Positives & Tuning

macOS system process 'loginwindow' itself writing to the plist file during normal logout with session restore enabled — verify initiating process is loginwindow or WindowServer
Backup agents (Carbonite, Backblaze, Time Machine helper processes) that access user preference files during scheduled backup runs
Enterprise endpoint management tools performing remote policy pushes that touch user login preferences as part of configuration management workflows

Download portable Sigma rule (.yml)

Other platforms for T1547.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Add Application to Loginwindow Plist via defaults
Expected signal: File modification event for com.apple.loginwindow plist. Process creation for defaults command with the write arguments.
Test 2Read Current Loginwindow Plist
Expected signal: Process creation event for plutil. No file modification events.
Test 3Modify Loginwindow Plist via AppleScript
Expected signal: Process creation for osascript. File modification event for loginwindow plist. The osascript parent process is a strong indicator.

Last updated: 2026-04-20 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1547.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Re-opened Applications in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1547.007

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1547.007

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox