Boot or Logon Autostart Execution: Re-opened Applications

Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/ and ~/Library/Preferences/ByHost/* .plist.

An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine [1].

ID: T1547.007
Sub-technique of:  T1547
Platforms: macOS
Permissions Required: User
Version: 1.0
Created: 24 January 2020
Last Modified: 24 January 2020
Provided by LAYER 8


ID Mitigation Description
M1042 Disable or Remove Feature or Program

This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.

M1017 User Training

Holding the Shift key while logging in prevents apps from opening automatically. [2]


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification

Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.