Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0349: Analytic 0349

Unusual modification or creation of loginwindow-related plist files in '~/Library/Preferences/ByHost' correlated with unauthorized application paths and execution upon login.

EnterpriseAN0349AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because macOS login-time configuration can become a quiet way for unwanted software to run when a user signs in. For leaders, the practical question is whether the organization can prove it monitors user-level macOS preference changes, relates them to application paths, and investigates unexpected execution at login before it becomes an operational or compliance issue.

Executive priority

Prioritize this as a macOS endpoint visibility and response-readiness check. It helps validate whether security teams can detect suspicious changes in user preference files tied to login behavior, especially where macOS systems are used by privileged users, developers, executives, or regulated workflows. The decision value is not that this analytic guarantees detection, but that it exposes whether endpoint logging, managed detection workflows, and incident response playbooks can connect configuration change, application path legitimacy, and login execution evidence.

Technical view

The supplied analytic focuses on macOS and describes unusual creation or modification of loginwindow-related plist files under '~/Library/Preferences/ByHost', correlated with unauthorized application paths and execution upon login. SOC and detection engineering teams should validate whether they collect file creation/modification telemetry for that path, can parse or inspect relevant plist content, can identify application paths referenced by those files, and can correlate those changes with subsequent process execution during user login. Because no official detection logic or ATT&CK tactic is supplied, implementation should be tested against local macOS baselines rather than assumed from the ATT&CK entry alone.

Likely telemetry

  • macOS file creation and modification events for '~/Library/Preferences/ByHost'
  • File metadata and content inspection for loginwindow-related plist files
  • Process execution telemetry at or shortly after user login
  • Application path inventory or allow/deny context for authorized versus unauthorized paths
  • User login/session events to support correlation timing

Detection direction

  • Baseline normal loginwindow-related plist activity on managed macOS endpoints before alerting on all changes.
  • Correlate plist creation or modification with the referenced application path and with process execution upon login, as described by the analytic.
  • Tune for legitimate administrative tools, endpoint management agents, software installers, and user-approved login items to reduce false positives.
  • Validate whether telemetry covers user home directories and ByHost preference files; many endpoint programs focus on system paths and may miss user-level persistence-like configuration changes.
  • Require local definition of 'unauthorized application paths' using asset inventory, software management policy, or approved application lists.

Mitigation priorities

  • Ensure macOS endpoints are enrolled in endpoint management and security monitoring capable of collecting user-level preference file changes.
  • Maintain an approved software and application path policy so detections can distinguish expected login applications from unauthorized ones.
  • Restrict unnecessary user ability to install or run unapproved applications where business policy allows.
  • Create an incident response check for suspicious login-time execution that includes reviewing the relevant plist, the modifying process, the referenced application path, and recent user login activity.
  • Use this analytic as compliance evidence only after validating collection, correlation, triage ownership, and response procedures in the local environment.
Analyst notes and limits

This is a detection analytic object, not a full technique description. It is service-relevant for managed detection, macOS endpoint hardening validation, incident response readiness, and compliance evidence around endpoint monitoring. Relationship context was not supplied, so no related techniques, software, groups, campaigns, or mitigations are inferred.

The object provides no official detection logic, no tactics, and no relationships. It supports only macOS-specific conclusions about unusual loginwindow-related plist creation or modification in '~/Library/Preferences/ByHost' correlated with unauthorized application paths and login execution. Local baselines and approved software policy are required to decide what is suspicious.

Official MITRE ATT&CK definition

Analytic 0349

Unusual modification or creation of loginwindow-related plist files in '~/Library/Preferences/ByHost' correlated with unauthorized application paths and execution upon login.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9f2bd00aad753322...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9f2bd00aad75…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0349
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use