Detect Re-opened Applications in IBM QRadar
Adversaries may modify plist files to automatically run an application when a user logs in on macOS. When a user logs out or restarts via the macOS GUI, a prompt with a checkbox to 'Reopen windows when logging back in' causes all currently open applications to be added to a property list file named com.apple.loginwindow.[UUID].plist within ~/Library/Preferences/ByHost/. Adversaries can establish persistence by adding a malicious application path to this plist file to execute payloads when a user logs in.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.007 Re-opened Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1547/007/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time, sourceip, username, "filepath", "filename", QIDNAME(qid) AS event_name, logsourcename(logSourceId) AS log_source FROM events WHERE LOGSOURCETYPEID(logSourceId) IN (SELECT id FROM SYS.LOGSOURCETYPES WHERE name ILIKE '%macOS%' OR name ILIKE '%osquery%' OR name ILIKE '%Elastic%') AND ("filepath" ILIKE '%/Library/Preferences/ByHost/%' OR "filename" ILIKE 'com.apple.loginwindow.%.plist') AND CATEGORYNAME(category) ILIKE '%file%' AND devicetime > (CURRENT_TIMESTAMP - 86400000) ORDER BY devicetime DESCDetects file creation and modification events targeting macOS loginwindow plist files in the ByHost preferences directory, indicating potential persistence via re-opened applications mechanism.
Data Sources
Required Tables
False Positives & Tuning
- Normal macOS logout/restart cycles where users have session restore enabled, generating routine loginwindow plist updates
- Enterprise macOS management platforms (Jamf Pro, Kandji) performing scheduled preference file management
- Time Machine or other backup solutions accessing or restoring user preference files during backup or recovery operations
Other platforms for T1547.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Application to Loginwindow Plist via defaults
Expected signal: File modification event for com.apple.loginwindow plist. Process creation for defaults command with the write arguments.
- Test 2Read Current Loginwindow Plist
Expected signal: Process creation event for plutil. No file modification events.
- Test 3Modify Loginwindow Plist via AppleScript
Expected signal: Process creation for osascript. File modification event for loginwindow plist. The osascript parent process is a strong indicator.
References (5)
- https://attack.mitre.org/techniques/T1547/007/
- https://support.apple.com/en-us/HT204005
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md
Unlock Pro Content
Get the full detection package for T1547.007 including response playbook, investigation guide, and atomic red team tests.