Try it using Invoke-Atomic

Plist File Modification

Description from ATT&CK

Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)

Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window) or running additional commands for persistence (ex: Launch Agent/Launch Daemon or Re-opened Applications).

For example, adversaries can add a malicious application path to the

file, which controls apps that appear in the Dock. Adversaries can also modify the <code>LSUIElement</code> key in an application’s <code>info.plist</code> file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as <code>LSEnvironment</code>, to enable persistence via Dynamic Linker Hijacking.(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback)

Atomic Tests

Atomic Test #1 - Plist Modification

Modify MacOS plist file in one of two directories

Supported Platforms: macos

auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8



Run it with these steps!

  1. Modify a .plist in




  2. Subsequently, follow the steps for adding and running via Launch Agent