T1647 - Plist File Modification

Description from ATT&CK (opens in a new tab)

Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)

Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window (opens in a new tab)) or running additional commands for persistence (ex: Launch Agent (opens in a new tab)/Launch Daemon (opens in a new tab) or Re-opened Applications (opens in a new tab)).

For example, adversaries can add a malicious application path to the ~/Library/Preferences/com.apple.dock.plist file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement key in an application’s info.plist file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment, to enable persistence via Dynamic Linker Hijacking (opens in a new tab).(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback)

Atomic Tests

• Atomic Test #1 - Plist Modification

Atomic Test #1 - Plist Modification

Modify MacOS plist file in one of two directories

Supported Platforms: macOS

auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8

Run it with these steps!

1. Modify a .plist in

   /Library/Preferences

   OR

   ~/Library/Preferences

2. Subsequently, follow the steps for adding and running via Launch Agent