Find sigma rule
Attack: Boot or Logon Autostart Execution: Re-opened Applications
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to “Reopen windows when logging back in”.(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist
within the ~/Library/Preferences/ByHost
directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist
file to execute payloads when a user logs in.
MITRE
Tactic
- privilege-escalation
- persistence
technique
- T1547.007
Test : Copy in loginwindow.plist for Re-Opened Applications
OS
- macos
Description:
Copy in new loginwindow.plist to launch Calculator.
Executor
sh