Esc
Re-opened Applications - T1547.007
(ATT&CK® Technique)
Definition
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in". When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory. Applications listed in this file are automatically reopened upon the user’s next logon.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1547007["Re-opened Applications"] --> |modifies| ApplicationConfigurationFile["Application Configuration File"]; class T1547007 OffensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode; click ApplicationConfigurationFile href "/dao/artifact/d3f:ApplicationConfigurationFile";
click T1547007 href "/offensive-technique/attack/T1547.007/"; click ApplicationConfigurationFile href "/dao/artifact/d3f:ApplicationConfigurationFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ApplicationConfigurationFile["Application Configuration File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1547007["Re-opened Applications"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ApplicationConfigurationFile["Application Configuration File"];
FileEviction["File Eviction"] -.->
| may-evict | T1547007["Re-opened Applications"] ;
class FileEviction DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | ApplicationConfigurationFile["Application Configuration File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1547007["Re-opened Applications"] ;
class FileEncryption DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ContentModification["Content Modification"] -->
| modifies | ApplicationConfigurationFile["Application Configuration File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1547007["Re-opened Applications"] ;
class ContentModification DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | ApplicationConfigurationFile["Application Configuration File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1547007["Re-opened Applications"] ;
class ContentQuarantine DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ApplicationConfigurationFile["Application Configuration File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1547007["Re-opened Applications"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; ContentFiltering["Content Filtering"] -->
| filters | ApplicationConfigurationFile["Application Configuration File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1547007["Re-opened Applications"] ;
class ContentFiltering DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ApplicationConfigurationFile["Application Configuration File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1547007["Re-opened Applications"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | ApplicationConfigurationFile["Application Configuration File"];
RestoreFile["Restore File"] -.->
| may-restore | T1547007["Re-opened Applications"] ;
class RestoreFile DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | ApplicationConfigurationFile["Application Configuration File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1547007["Re-opened Applications"] ;
class FileAnalysis DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | ApplicationConfigurationFile["Application Configuration File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1547007["Re-opened Applications"] ;
class DecoyFile DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile";