|T1547.001||Registry Run Keys / Startup Folder|
|T1547.004||Winlogon Helper DLL|
|T1547.005||Security Support Provider|
|T1547.006||Kernel Modules and Extensions|
|T1547.013||XDG Autostart Entries|
Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files,
Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.
Adversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the
DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the
EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the
LSEnvironment key in the application's
|M1013||Application Developer Guidance||
Ensure applications are using Apple's developer guidance which enables hardened runtime.
|M1022||Restrict File and Directory Permissions||
Prevent plist files from being modified by users by making them read-only.
Holding the shift key during login prevents apps from opening automatically.
|ID||Data Source||Data Component|
Monitor for common command-line editors used to modify plist files located in auto-run locations, such as
~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's
Monitor for plist file modification immediately followed by code execution from
~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.
Identify new services executed from plist modified in the previous user's session.