Boot or Logon Autostart Execution: Re-opened Applications
Other sub-techniques of Boot or Logon Autostart Execution (15)
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist
within the ~/Library/Preferences/ByHost
directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist
file to execute payloads when a user logs in.
Mitigations |
|
Mitigation | Description |
---|---|
Disable or Remove Feature or Program |
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
User Training |
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
Detection
Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.
References
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.