T1547.007 Splunk · SPL

Detect Re-opened Applications in Splunk

Adversaries may modify plist files to automatically run an application when a user logs in on macOS. When a user logs out or restarts via the macOS GUI, a prompt with a checkbox to 'Reopen windows when logging back in' causes all currently open applications to be added to a property list file named com.apple.loginwindow.[UUID].plist within ~/Library/Preferences/ByHost/. Adversaries can establish persistence by adding a malicious application path to this plist file to execute payloads when a user logs in.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.007 Re-opened Applications
Canonical reference
https://attack.mitre.org/techniques/T1547/007/

SPL Detection Query

Splunk (SPL)
spl 
index=macos sourcetype="osquery:results" name="file_events"
  target_path="*/Library/Preferences/ByHost/com.apple.loginwindow.*"
  action="UPDATED" OR action="CREATED"
| table _time, host, target_path, action, md5, sha256
| sort - _time
medium severity medium confidence

Detects modifications to macOS loginwindow plist files using osquery file integrity monitoring. The com.apple.loginwindow.[UUID].plist files in ByHost control application re-opening at logon. Unauthorized modifications may indicate persistence.

Data Sources

File: File ModificationFile: File Creationosquery File Integrity Monitoring

Required Sourcetypes

osquery:results

False Positives & Tuning

  • Normal macOS logon/logoff cycle updating loginwindow plist
  • User toggling reopen-windows preference
  • macOS system updates
Download portable Sigma rule (.yml)

Other platforms for T1547.007

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Application to Loginwindow Plist via defaults

    Expected signal: File modification event for com.apple.loginwindow plist. Process creation for defaults command with the write arguments.

  2. Test 2Read Current Loginwindow Plist

    Expected signal: Process creation event for plutil. No file modification events.

  3. Test 3Modify Loginwindow Plist via AppleScript

    Expected signal: Process creation for osascript. File modification event for loginwindow plist. The osascript parent process is a strong indicator.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1547.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.005Security Support ProviderT1547.006Kernel Modules and ExtensionsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.012Print ProcessorsT1547.013XDG Autostart EntriesT1547.014Active SetupT1547.015Login Items

Related Techniques

T1547Boot or Logon Autostart ExecutionT1547.015Login ItemsT1543.004Launch DaemonT1543.001Launch AgentT1059.002AppleScript

Same Tactic: Persistence

Popular Detections