Techniques
Sample rules
MacOS - Re-opened Applications
- source: splunk
- technicques:
Description
This search looks for processes referencing the plist files that determine which applications are re-opened when a user reboots their machine.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos___re_opened_applications_filter`