Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist.
An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine [1].
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
This feature can be disabled entirely with the following terminal command: |
| M1017 | User Training |
Holding the Shift key while logging in prevents apps from opening automatically. [2] |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Modification |
Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.