T1547.007 Re-opened Applications is a technique in the MITRE ATT&CK framework under the Persistence tactic. It refers to the feature in macOS that automatically reopens applications upon user login, enhancing user convenience. This functionality is controlled by a property list (plist) file that records the applications running during the last logout. When the user logs back in, the system automatically restarts the applications that were active during their previous session.
This built-in macOS feature allows for seamless continuity of user tasks but also provides a potential point for adversaries to exploit for persistence.
To read about other sub-techniques of the T1547 Boot Logon or Auto Start Execution technique, you can visit the related hub blog.
Adversaries exploit macOS's "Re-opened Applications" feature by tampering with plist files, such as com.apple.loginwindow.<UUID>.plist, located in the user's ~/Library/Preferences/ByHost directory. This plist file contains the configuration for applications that are automatically relaunched when a user logs back in. Users typically opt into this feature via a prompt during logout, making it a trusted behavior.
To compromise this functionality, attackers manipulate the plist file using macOS commands. For example [1]:
|
$ plutil -p ~/Library/Preferences/ByHost/com.apple.loginwindow.<UUID>.plist |
This command displays the contents of the plist file, where adversaries can insert entries specifying their malicious applications. Each entry includes keys for the application's bundle identifier, background state, visibility settings, and file path.
An example of a modified plist entry might look like this:
|
{ "TALAppsToRelaunchAtLogin" => [ 0 => { "BackgroundState" => 2, "BundleID" => "com.apple.ichat", "Hide" => 0, "Path" => "/System/Applications/Messages.app" }, 1 => { "BackgroundState" => 2, "BundleID" => "com.google.chrome", "Hide" => 0, "Path" => "/Applications/Google Chrome.app" }, 2 => { "BackgroundState" => 2, "BundleID" => "com.example.attacker", "Hide" => 0, "Path" => "/Applications/AttackerApp.app" } ] } |
In doing so, the malware is automatically executed each time the user logs in, leveraging legitimate macOS functionality to maintain a covert presence.
[1] “Chapter 0x2: Persistence.” Available: https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf. [Accessed: Dec. 28, 2023]