LoFP / at this stage, there are no known false positives. during testing, no process events referring the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. therefore, it can be assumed that any occurrences of this in the process events would be worth investigating. in the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.

Techniques

Sample rules

MacOS - Re-opened Applications

• source: splunk
• technicques:

Description

The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to “com.apple.loginwindow.” This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise.

Detection logic

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `macos___re_opened_applications_filter`