T1547.007: Re-opened Applications
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".[1] When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.[2][3] Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.
Analyst context for executives and security teams
This macOS technique matters because it uses a normal user convenience feature—reopening applications at login—as a persistence mechanism. If an attacker can modify the relevant loginwindow property list, a malicious application can be relaunched when the user logs back in, making removal and incident containment harder if teams only check more common startup locations.
Executive priority
Prioritize this as part of macOS endpoint resilience and incident response readiness. Leaders should ask whether managed detection and IR playbooks cover macOS login persistence beyond standard login items, and whether endpoint telemetry can show unexpected changes under user preference locations. The business risk is not the feature itself, but the possibility that a compromised user session can regain execution after logout or restart.
Technical view
ATT&CK identifies this as a macOS sub-technique of Boot or Logon Autostart Execution under persistence and privilege escalation. Defenders should validate monitoring for modifications to com.apple.loginwindow.[UUID].plist in ~/Library/Preferences/ByHost and review reopened application entries for unexpected application paths. The related detection strategy DET0125 specifically points to detecting persistence through reopened application plist modification on macOS. Because MITRE provides no official detection text for this object, teams should test locally with approved benign scenarios and tune around legitimate user-driven reopen behavior.
Likely telemetry
- macOS file modification events for ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
- Endpoint process and application launch events at user logon
- File path and code-signing or application reputation context for applications referenced by loginwindow plist entries
- User logon, logout, and restart events to correlate automatic relaunch behavior
- Endpoint management or EDR inventory showing macOS hosts and collected preference-file telemetry
Detection direction
- Confirm whether DET0125-equivalent logic exists for macOS reopened application plist modification.
- Baseline normal changes to loginwindow plist files, because the underlying feature can be used legitimately by users.
- Alert on newly added or unusual application paths in com.apple.loginwindow.[UUID].plist, especially paths outside expected application locations or inconsistent with the user’s normal software profile.
- Correlate plist changes with subsequent application execution after logon to reduce noise and support incident timelines.
- Check for blind spots on unmanaged Macs, user home directory preference paths, and telemetry pipelines that collect process events but not user-level plist file changes.
Mitigation priorities
- Use M1042-aligned hardening where appropriate by disabling or removing unnecessary features, programs, or software that increase persistence opportunities, while considering business impact on macOS usability.
- Use M1017-aligned user training so users understand the reopen-windows behavior and report unexpected applications launching after login.
- Maintain macOS endpoint management coverage sufficient to inspect user preference locations and validate configuration drift.
- During IR, remove unauthorized reopened application entries and verify that related malicious applications or payload paths are also removed, not just the plist reference.
Analyst notes and limits
This object is narrow but operationally important for macOS-heavy environments. It should be assessed alongside the parent technique T1547, Boot or Logon Autostart Execution, because attackers may use multiple autostart locations. The revoked T1164 relationship indicates this content supersedes an older ATT&CK technique representation for the same behavior.
MITRE does not provide official detection text for this technique, and the supplied data does not identify specific adversary use, active exploitation, tools, or impacts. Coverage decisions require local evidence about macOS fleet size, endpoint telemetry, management controls, and accepted user behavior around reopened applications.
Re-opened Applications
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".[1] When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.[2][3] Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547 | Boot or Logon Autostart Execution | This object subtechnique of Boot or Logon Autostart Execution. |
| Enterprise | T1164 | Re-opened Applications | Re-opened Applications revoked by this object. |
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | c2b4dbba65a5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Re-Open windows on Mac
Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017.
Open source URL -
[2]
Methods of Mac Malware Persistence
Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
Open source URL -
[3]
Wardle Persistence Chapter
Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved April 13, 2022.
Open source URL -
[4]
mitre-attack T1547.007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.