T1647: Plist File Modification
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.[1]
Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window) or running additional commands for persistence (ex: Launch Agent/Launch Daemon or Re-opened Applications).
For example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist` file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement key in an application’s info.plist file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment, to enable persistence via Dynamic Linker Hijacking.[2][3]
Analyst context for executives and security teams
Plist File Modification is a macOS defense-impairment technique where an adversary changes application or preference property lists to influence how macOS runs or presents software. For leaders, the risk is not the plist file itself; it is that small configuration changes can help malicious activity blend into normal application behavior, hide windows, support persistence paths, or influence runtime environment settings.
Executive priority
Prioritize this where macOS endpoints support critical users, developers, administrators, or regulated workflows. The business question is whether security teams can prove visibility into sensitive plist changes and connect those changes to persistence or evasion behaviors. This is especially relevant for SOC readiness, incident response scoping, endpoint hardening, and audit evidence that macOS configuration changes are monitored rather than assumed trustworthy.
Technical view
Validate macOS-focused monitoring for plist creation and modification in user and application paths, especially Info.plist files, ~/Library/Preferences/com.apple.dock.plist, and plist content associated with Launch Agents, Launch Daemons, re-opened applications, hidden window behavior, and dynamic linker environment settings such as LSEnvironment. ATT&CK provides no native detection text for T1647, but the relationship to DET0109 indicates a dedicated detection strategy exists. ATT&CK also maps XCSSET and Cuckoo Stealer software to this technique, so detections should be tested against behavior patterns rather than malware names alone.
Likely telemetry
- macOS file modification events for plist files in application bundles and user preference locations
- Endpoint security or EDR events showing process-to-file relationships for plist writes
- File integrity monitoring or configuration monitoring for sensitive plist paths and keys
- Command-line or script execution telemetry preceding plist changes
- Launch Agent, Launch Daemon, and re-opened application configuration evidence linked to plist updates
Detection direction
- Confirm that binary and XML plist formats are parsed or normalized; relying only on text search can miss binary plist changes.
- Baseline expected plist churn from legitimate application installs, updates, developer tools, and user preference changes to reduce false positives.
- Alert more strongly when plist modification is followed by persistence-related behavior, background execution, hidden-window behavior, or unusual environment-variable injection.
- Correlate the modifying process, code-signing or application identity where available, user context, path, and timestamp rather than treating every plist write as malicious.
- Use DET0109 as the ATT&CK-related detection-strategy anchor, but validate local telemetry coverage because the official technique object does not include detection guidance.
Mitigation priorities
- Apply secure application development and packaging practices consistent with M1013 so applications do not rely on unsafe or easily abused plist behavior.
- Restrict write access to application bundles and sensitive configuration locations to the minimum required users and processes.
- Monitor and review plist changes during software installation, update, and incident response workflows.
- Harden macOS endpoint management so unauthorized persistence-related configuration changes are detectable and reversible.
- Include plist review in macOS IR playbooks when investigating persistence, defense impairment, or suspicious application behavior.
Analyst notes and limits
This technique was formerly represented by a revoked ATT&CK object, T1547.011 Plist Modification, and is now modeled as T1647 under defense impairment. The official description explicitly ties plist modification to behaviors such as Hidden Window, Launch Agent, Launch Daemon, Re-opened Applications, and Dynamic Linker Hijacking. Relationship context shows use by XCSSET and Cuckoo Stealer, but defensive analytics should remain behavior-based.
The supplied ATT&CK object does not provide official detection text, detailed data sources, or platform scope beyond macOS. Local path conventions, endpoint tooling, application management practices, and normal developer activity will determine what is high signal. This take does not establish customer exposure, active exploitation, or guaranteed detection coverage.
Plist File Modification
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.[1]
Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window) or running additional commands for persistence (ex: Launch Agent/Launch Daemon or Re-opened Applications).
For example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist` file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement key in an application’s info.plist file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment, to enable persistence via Dynamic Linker Hijacking.[2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.011 | Plist Modification Sub-technique | Plist Modification revoked by this object. |
Groups, software, and campaigns
S1153: Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]
S0658: XCSSET
XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 7d3a5ab8297c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
fileinfo plist file description
FileInfo.com team. (2019, November 26). .PLIST File Extension. Retrieved October 12, 2021.
Open source URL -
[2]
wardle chp2 persistence
Patrick Wardle. (2022, January 1). The Art of Mac Malware Volume 0x1:Analysis. Retrieved April 19, 2022.
Open source URL -
[3]
eset_osx_flashback
ESET. (2012, January 1). OSX/Flashback. Retrieved April 19, 2022.
Open source URL -
[4]
mitre-attack T1647Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.