Esc

Plist Modification - T1547.011

(ATT&CK® Technique)

Definition

Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1547011["Plist Modification"] --> |modifies| ApplicationConfigurationFile["Application Configuration File"]; class T1547011 OffensiveTechniqueNode;
        class ApplicationConfigurationFile ArtifactNode; click ApplicationConfigurationFile href "/dao/artifact/d3f:ApplicationConfigurationFile";
        click T1547011 href "/offensive-technique/attack/T1547.011/"; click ApplicationConfigurationFile href "/dao/artifact/d3f:ApplicationConfigurationFile";             FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ApplicationConfigurationFile["Application Configuration File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1547011["Plist Modification"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ApplicationConfigurationFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | ApplicationConfigurationFile["Application Configuration File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1547011["Plist Modification"] ;
          class FileEviction DefensiveTechniqueNode;
          class ApplicationConfigurationFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction"; RestoreFile["Restore File"] -->
          | restores | ApplicationConfigurationFile["Application Configuration File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1547011["Plist Modification"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ApplicationConfigurationFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                                      DecoyFile["Decoy File"] -->
          | spoofs | ApplicationConfigurationFile["Application Configuration File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1547011["Plist Modification"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ApplicationConfigurationFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                FileEncryption["File Encryption"] -->
          | encrypts | ApplicationConfigurationFile["Application Configuration File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1547011["Plist Modification"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ApplicationConfigurationFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | ApplicationConfigurationFile["Application Configuration File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1547011["Plist Modification"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ApplicationConfigurationFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                           FileAnalysis["File Analysis"] -->
          | analyzes | ApplicationConfigurationFile["Application Configuration File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1547011["Plist Modification"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ApplicationConfigurationFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | ApplicationConfigurationFile["Application Configuration File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1547011["Plist Modification"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class ApplicationConfigurationFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";

json