Detect Re-opened Applications in Sumo Logic CSE
Adversaries may modify plist files to automatically run an application when a user logs in on macOS. When a user logs out or restarts via the macOS GUI, a prompt with a checkbox to 'Reopen windows when logging back in' causes all currently open applications to be added to a property list file named com.apple.loginwindow.[UUID].plist within ~/Library/Preferences/ByHost/. Adversaries can establish persistence by adding a malicious application path to this plist file to execute payloads when a user logs in.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.007 Re-opened Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1547/007/
Sumo Detection Query
_sourceCategory=macos* OR _sourceCategory=osquery* OR _sourceCategory=endpoint* "com.apple.loginwindow" "Library/Preferences/ByHost"
| parse field=target_path "*/Library/Preferences/ByHost/*" as pref_path nodrop
| parse field=message "com.apple.loginwindow.*" as loginwindow_file nodrop
| where (action = "UPDATED" OR action = "CREATED" OR action = "MODIFIED" OR action = "FileCreated" OR action = "FileModified")
| where target_path matches "*/Library/Preferences/ByHost/com.apple.loginwindow*"
| fields _time, host, target_path, action, md5, sha256, user
| sort - _timeDetects creation or modification of com.apple.loginwindow plist files within macOS ByHost preferences directory. Adversaries add malicious application paths to these files to achieve persistence at user login.
Data Sources
Required Tables
False Positives & Tuning
- Routine macOS session restore activity triggered by users selecting 'Reopen windows when logging back in' at logout
- Automated workstation provisioning or re-imaging workflows that reset user login preferences as part of onboarding
- macOS software installers that modify user session preferences as part of their post-install configuration
Other platforms for T1547.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Application to Loginwindow Plist via defaults
Expected signal: File modification event for com.apple.loginwindow plist. Process creation for defaults command with the write arguments.
- Test 2Read Current Loginwindow Plist
Expected signal: Process creation event for plutil. No file modification events.
- Test 3Modify Loginwindow Plist via AppleScript
Expected signal: Process creation for osascript. File modification event for loginwindow plist. The osascript parent process is a strong indicator.
References (5)
- https://attack.mitre.org/techniques/T1547/007/
- https://support.apple.com/en-us/HT204005
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md
Unlock Pro Content
Get the full detection package for T1547.007 including response playbook, investigation guide, and atomic red team tests.