T1647
Plist File Modification
Description from ATT&CK
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)
Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window) or running additional commands for persistence (ex: Launch Agent/Launch Daemon or Re-opened Applications).
For example, adversaries can add a malicious application path to the
file, which controls apps that appear in the Dock. Adversaries can also modify the <code>LSUIElement</code> key in an application’s <code>info.plist</code> file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as <code>LSEnvironment</code>, to enable persistence via Dynamic Linker Hijacking.(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback)
https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/1
~/Library/Preferences/com.apple.dock.plist
Atomic Tests
Atomic Test #1 - Plist Modification
Modify MacOS plist file in one of two directories
Supported Platforms: macos
auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8
Inputs:
None
Run it with these steps!
-
Modify a .plist in
/Library/Preferences
OR
~/Library/Preferences
-
Subsequently, follow the steps for adding and running via Launch Agent
1