1. Home
  2. Techniques
  3. Enterprise
  4. Boot or Logon Autostart Execution
  5. Plist Modification

Boot or Logon Autostart Execution: Plist Modification

ID Name
T1547.001 Registry Run Keys / Startup Folder
T1547.002 Authentication Package
T1547.003 Time Providers
T1547.004 Winlogon Helper DLL
T1547.005 Security Support Provider
T1547.006 Kernel Modules and Extensions
T1547.007 Re-opened Applications
T1547.008 LSASS Driver
T1547.009 Shortcut Modification
T1547.010 Port Monitors
T1547.011 Plist Modification
T1547.012 Print Processors
T1547.013 XDG Autostart Entries
T1547.014 Active Setup
T1547.015 Login Items

Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.[1]

Adversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.[2]

ID: T1547.011
Sub-technique of:  T1547
Platforms: macOS
Permissions Required: Administrator, User
Version: 1.1
Created: 24 January 2020
Last Modified: 15 October 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0658 XCSSET

XCSSET uses the plutil command to modify the LSUIElement, DFBundleDisplayName, and CFBundleIdentifier keys in the /Contents/Info.plist file.[3]

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

Ensure applications are using Apple's developer guidance which enables hardened runtime.[4]
M1022 Restrict File and Directory Permissions

Prevent plist files from being modified by users by making them read-only.
M1017 User Training

Holding the shift key during login prevents apps from opening automatically.[5]

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0009 Process Process Creation
DS0019 Service Service Creation

Monitor for common command-line editors used to modify plist files located in auto-run locations, such as ~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist.

Monitor for plist file modification immediately followed by code execution from ~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.

Identify new services executed from plist modified in the previous user's session.

References

  1. FileInfo.com team. (2019, November 26). .PLIST File Extension. Retrieved October 12, 2021.
  2. Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021.
  3. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  1. Apple Inc.. (2021, January 1). Hardened Runtime: Manage security protections and resource access for your macOS apps.. Retrieved March 24, 2021.
  2. Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017.