TIARAS - T1164: Re-opened Applications

MITRE ATT&CK Technique

Persistence T1164

Description

Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at <code>~/Library/Preferences/com.apple.loginwindow.plist</code> and <code>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist</code>. An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).

Supported Platforms

macOS

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2017-12-14T16:46:06.044Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Starting in Mac OS X 10.7 (Lion), users can specify certain '
                'applications to be re-opened when a user reboots their '
                'machine. While this is usually done via a Graphical User '
                'Interface (GUI) on an app-by-app basis, there are property '
                'list files (plist) that contain this information as well '
                'located at '
                '<code>~/Library/Preferences/com.apple.loginwindow.plist</code> '
                'and '
                '<code>~/Library/Preferences/ByHost/com.apple.loginwindow.* '
                '.plist</code>. \n'
                '\n'
                'An adversary can modify one of these files directly to '
                'include a link to their malicious executable to provide a '
                'persistence mechanism each time the user reboots their '
                'machine (Citation: Methods of Mac Malware Persistence).',
 'external_references': [{'external_id': 'T1164',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1164'},
                         {'description': 'Patrick Wardle. (2014, September). '
                                         'Methods of Malware Persistence on '
                                         'Mac OS X. Retrieved July 5, 2017.',
                          'source_name': 'Methods of Mac Malware Persistence',
                          'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'}],
 'id': 'attack-pattern--6a3be63a-64c5-4678-a036-03ff8fc35300',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'}],
 'modified': '2025-10-24T17:48:54.452Z',
 'name': 'Re-opened Applications',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['macOS'],
 'x_mitre_version': '1.2'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About