DET0125: Detect persistence via reopened application plist modification (macOS)
DET0125 is a macOS-focused detection strategy tied to persistence through Re-opened Applications, where plist changes can cause applications to launch agai...
Analyst context for executives and security teams
DET0125 is a macOS-focused detection strategy tied to persistence through Re-opened Applications, where plist changes can cause applications to launch again at user login. The business value is not just spotting a file change; it is validating whether macOS endpoint monitoring can distinguish normal user session behavior from persistence-relevant modification of loginwindow ByHost preference data.
Executive priority
Treat this as a coverage validation item for macOS fleet resilience and incident readiness. Leaders should ask whether managed detection, endpoint logging, and IR playbooks can prove visibility into user-level persistence paths, especially where macOS systems are used by privileged staff, developers, administrators, or regulated business functions. Because the ATT&CK detection object itself does not provide official detection logic, priority should be based on local macOS exposure, endpoint telemetry maturity, and the importance of demonstrating persistence-detection evidence for audits or incident reviews.
Technical view
This detection strategy detects ATT&CK T1547.007, Re-opened Applications, associated with persistence and privilege-escalation tactics on macOS. SOC and detection engineering teams should validate visibility into modifications of com.apple.loginwindow.[UUID].plist under ~/Library/Preferences/ByHost and correlate those changes with user logout, restart, login, and application execution context. Detection should focus on unusual or unexpected plist modification patterns rather than assuming every change is malicious, because the related technique description indicates legitimate GUI behavior can create or update these files when users choose to reopen windows at login.
Likely telemetry
- macOS file modification events for ~/Library/Preferences/ByHost/com.apple.loginwindow.[UUID].plist
- Endpoint process execution telemetry around processes modifying the plist
- User login, logout, and restart/session events
- Application launch events after login
- Endpoint security or EDR alerts involving macOS persistence-related preference changes
Detection direction
- Confirm the organization collects file-change telemetry for user Library Preferences ByHost paths on macOS endpoints.
- Tune detection to account for legitimate macOS GUI behavior when users select 'Reopen windows when logging back in'.
- Correlate plist modification with subsequent application launch at login to improve confidence and reduce noise.
- Review whether detections distinguish expected Apple/system behavior, user-driven session restoration, and unexpected modifying processes.
- Prioritize coverage testing on macOS systems used by higher-risk users or business-critical roles.
Mitigation priorities
- Establish macOS endpoint visibility for user-level persistence locations before relying on alerting.
- Harden and monitor managed macOS configurations where business risk justifies it, with attention to persistence-related preference paths.
- Use least-privilege and endpoint management practices to reduce opportunities for unauthorized persistence changes.
- Document approved macOS session restoration behavior so SOC teams have a baseline for triage.
- Include this persistence path in incident response checklists for macOS investigations and post-compromise reviews.
Analyst notes and limits
The strongest use of this object is as a defensive coverage question: can the team observe and explain changes to macOS loginwindow ByHost plist files and resulting application launches? Relationship context supplies the related technique, tactics, macOS platform, and plist path. The detection strategy object itself has no official description or detection content in the supplied fields.
This take is limited to the supplied ATT&CK fields and relationship context. Platforms are not specified on the DET0125 object itself; macOS is supported through the related T1547.007 technique. No claims are made about active exploitation, actor use, prevalence, impact, or guaranteed detection coverage.
Detect persistence via reopened application plist modification (macOS)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.007 | Re-opened Applications Sub-technique | This object detects Re-opened Applications. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 844f2c5d1771… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0125Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.