title: Plist File Modification (T1647)
id: df00tech-t1647
status: experimental
description: "This detection identifies adversarial modification of macOS property list (plist) files to enable persistence, evade defenses, or alter application behavior. Attackers use tools such as plutil, PlistBuddy, and the defaults command to insert or modify keys like LSUIElement (hide app from UI), LSEnvironment (inject environment variables for dynamic linker hijacking), RunAtLoad, and ProgramArguments in LaunchAgent or LaunchDaemon plists. Known malware families including XCSSET and Cuckoo Stealer abuse plist modification to persist across reboots and conceal malicious processes. The detection monitors process execution of common plist editing utilities with arguments targeting sensitive keys and system persistence paths."
references:
  - https://attack.mitre.org/techniques/T1647/
  - https://df00tech.com/detections/T1647
author: df00tech
date: 2026/03/20
tags:
  - attack.t1647
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
  - System administrators using the defaults command to manage enterprise preferences and MDM profiles
  - Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation
  - Homebrew package manager modifying application plist files during install or upgrade operations
  - "IT management tools (Jamf, Munki, Chef) that programmatically write LaunchAgent plists for legitimate automation"
level: high