MITRE ATT&CK Technique
Description
Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges). Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Property list (plist) files contain all of the information '
'that macOS and OS X uses to configure applications and '
'services. These files are UTF-8 encoded and formatted like '
'XML documents via a series of keys surrounded by < >. They '
'detail when programs should execute, file paths to the '
'executables, program arguments, required OS permissions, and '
'many others. plists are located in certain locations '
'depending on their purpose such as '
'<code>/Library/Preferences</code> (which execute with '
'elevated privileges) and <code>~/Library/Preferences</code> '
"(which execute with a user's privileges). \n"
'Adversaries can modify these plist files to point to their '
'own code, can use them to execute their code in the context '
'of another user, bypass whitelisting procedures, or even use '
'them as a persistence mechanism. (Citation: Sofacy Komplex '
'Trojan)',
'external_references': [{'external_id': 'T1150',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1150'},
{'description': 'Dani Creus, Tyler Halfpop, Robert '
'Falcone. (2016, September 26). '
"Sofacy's 'Komplex' OS X Trojan. "
'Retrieved July 8, 2017.',
'source_name': 'Sofacy Komplex Trojan',
'url': 'https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/'}],
'id': 'attack-pattern--06780952-177c-4247-b978-79c357fb311f',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:21.027Z',
'name': 'Plist Modification',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.1'}