title: Re-opened Applications (T1547.007)
id: df00tech-t1547-007
status: experimental
description: "Adversaries may modify plist files to automatically run an application when a user logs in on macOS. When a user logs out or restarts via the macOS GUI, a prompt with a checkbox to 'Reopen windows when logging back in' causes all currently open applications to be added to a property list file named com.apple.loginwindow.[UUID].plist within ~/Library/Preferences/ByHost/. Adversaries can establish persistence by adding a malicious application path to this plist file to execute payloads when a user logs in."
references:
  - https://attack.mitre.org/techniques/T1547/007/
  - https://df00tech.com/detections/T1547.007
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Normal macOS logon/logoff cycle modifying the loginwindow plist via the loginwindow process
  - "Users manually toggling the 'Reopen windows when logging back in' checkbox in System Preferences"
  - macOS system updates that modify loginwindow preferences
level: medium