Plist Modification

Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism.

id:9424fa5e-466a-40df-bb69-7cf31b7bd398 categories:enrich confidence:low os:macos created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Privilege Escalation, Defense Evasion, Persistence techniques:T1150 Plist Modification

Query

file where file_name == "*Library/Preferences/*.plist"

Contributors

• Endgame