MacOS - Re-opened Applications

Author: Jamie Windley, Splunk
Source: upstream

The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to "com.apple.loginwindow." This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise.

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `tstats`

tstats WHERE Processes.process="*com.apple.loginwindow*" BY Processes.user, Processes.process_name, Processes.parent_process_name, Processes.dest

Stage 2: `search`

search

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Processes.process`	eq	`"com.apple.loginwindow"`

MacOS - Re-opened Applications

Event coverage

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: search