MITRE ATT&CK Technique
Description
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon. Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-24T18:15:06.641Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may modify plist files to automatically run an '
'application when a user logs in. When a user logs out or '
'restarts via the macOS Graphical User Interface (GUI), a '
'prompt is provided to the user with a checkbox to "Reopen '
'windows when logging back in".(Citation: Re-Open windows on '
'Mac) When selected, all applications currently open are added '
'to a property list file named '
'<code>com.apple.loginwindow.[UUID].plist</code> within the '
'<code>~/Library/Preferences/ByHost</code> '
'directory.(Citation: Methods of Mac Malware '
'Persistence)(Citation: Wardle Persistence Chapter) '
'Applications listed in this file are automatically reopened '
'upon the user’s next logon.\n'
'\n'
'Adversaries can establish '
'[Persistence](https://attack.mitre.org/tactics/TA0003) by '
'adding a malicious application path to the '
'<code>com.apple.loginwindow.[UUID].plist</code> file to '
'execute payloads when a user logs in.',
'external_references': [{'external_id': 'T1547.007',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1547/007'},
{'description': 'Apple. (2016, December 6). '
'Automatically re-open windows, apps, '
'and documents on your Mac. Retrieved '
'July 11, 2017.',
'source_name': 'Re-Open windows on Mac',
'url': 'https://support.apple.com/en-us/HT204005'},
{'description': 'Patrick Wardle. (2014, September). '
'Methods of Malware Persistence on '
'Mac OS X. Retrieved July 5, 2017.',
'source_name': 'Methods of Mac Malware Persistence',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'},
{'description': 'Patrick Wardle. (n.d.). Chapter 0x2: '
'Persistence. Retrieved April 13, '
'2022.',
'source_name': 'Wardle Persistence Chapter',
'url': 'https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf'}],
'id': 'attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:32.375Z',
'name': 'Re-opened Applications',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.2'}