at this stage, there are no known false positives. during testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. therefore, it can be asumed that any occurences of this in the process events would be worth investigating. in the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.

endpoint
splunk

Techniques

Sample rules

MacOS - Re-opened Applications

source: splunk
technicques:

Description

This search looks for processes referencing the plist files that determine which applications are re-opened when a user reboots their machine.

Detection logic


| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `macos___re_opened_applications_filter`