Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -596,8 +596,9 @@ privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
 privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
-privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
-privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
+privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
+privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
+privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
 privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
@@ -853,8 +854,9 @@ persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.commo
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
 persistence,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
-persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
-persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
+persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
+persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
+persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
 persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -96,8 +96,9 @@ persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add
 persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
-persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
-persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
+persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
+persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
+persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
@@ -121,8 +122,9 @@ privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Ite
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
-privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
-privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
+privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
+privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
+privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
 credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -926,8 +926,9 @@
 - T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
-  - Atomic Test #1: Re-Opened Applications [macos]
-  - Atomic Test #2: Re-Opened Applications [macos]
+  - Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
+  - Atomic Test #2: Re-Opened Applications using LoginHook [macos]
+  - Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
 - [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
   - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
@@ -1404,8 +1405,9 @@
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
-  - Atomic Test #1: Re-Opened Applications [macos]
-  - Atomic Test #2: Re-Opened Applications [macos]
+  - Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
+  - Atomic Test #2: Re-Opened Applications using LoginHook [macos]
+  - Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
 - [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
   - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -292,8 +292,9 @@
 - T1159 Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
-  - Atomic Test #1: Re-Opened Applications [macos]
-  - Atomic Test #2: Re-Opened Applications [macos]
+  - Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
+  - Atomic Test #2: Re-Opened Applications using LoginHook [macos]
+  - Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
 - T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -365,8 +366,9 @@
 - [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
   - Atomic Test #1: rc.common [macos]
 - [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
-  - Atomic Test #1: Re-Opened Applications [macos]
-  - Atomic Test #2: Re-Opened Applications [macos]
+  - Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
+  - Atomic Test #2: Re-Opened Applications using LoginHook [macos]
+  - Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
 - T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -40402,25 +40402,27 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.007
     atomic_tests:
-    - name: Re-Opened Applications
+    - name: Copy in loginwindow.plist for Re-Opened Applications
       auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba
-      description: |
-        Plist Method
+      description: 'Copy in new loginwindow.plist to launch Calculator.
 
-        [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
+        '
       supported_platforms:
       - macos
+      input_arguments:
+        calc_plist_path:
+          description: path to binary plist with entry to open calculator
+          type: Path
+          default: PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist
       executor:
-        steps: |
-          1. create a custom plist:
+        command: 'cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
 
-              ~/Library/Preferences/com.apple.loginwindow.plist
+          '
+        cleanup_command: 'rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
 
-          or
-
-              ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
-        name: manual
-    - name: Re-Opened Applications
+          '
+        name: sh
+    - name: Re-Opened Applications using LoginHook
       auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb
       description: |
         Mac Defaults
@@ -40442,6 +40444,53 @@ privilege-escalation:
           '
         elevation_required: true
         name: sh
+    - name: Append to existing loginwindow for Re-Opened Applications
+      auto_generated_guid: 766b6c3c-9353-4033-8b7e-38b309fa3a93
+      description: |
+        Appends an entry to launch Calculator hidden loginwindow.*.plist for next login.
+        Note that the change may not result in the added Calculator program launching on next user login.
+        It may depend on which version of macOS you are running on.
+      supported_platforms:
+      - macos
+      input_arguments:
+        objc_source_path:
+          description: path to objective C program
+          type: Path
+          default: PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m
+        exe_path:
+          description: path to compiled program
+          type: Path
+          default: "/tmp/t1547007_append_exe"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
+
+          '
+        get_prereq_command: 'cc #{objc_source_path} -o #{exe_path} -framework Cocoa
+
+          '
+      executor:
+        command: |
+          FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
+          if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
+          echo save backup copy to /tmp/
+          cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
+          echo before
+          plutil -p ${FILE}
+          echo overwriting...
+          #{exe_path} ${FILE} && echo after && plutil -p ${FILE}
+        cleanup_command: |
+          rm -f #{exe_path}
+          # revert to backup copy
+          FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
+          if [ -z "${FILE}" ] ; then
+             exit 0
+          fi
+          mv /tmp/t1547007_loginwindow-backup.plist ${FILE}
+        name: sh
   T1574.002:
     technique:
       x_mitre_platforms:
@@ -63787,25 +63836,27 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.007
     atomic_tests:
-    - name: Re-Opened Applications
+    - name: Copy in loginwindow.plist for Re-Opened Applications
       auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba
-      description: |
-        Plist Method
+      description: 'Copy in new loginwindow.plist to launch Calculator.
 
-        [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
+        '
       supported_platforms:
       - macos
+      input_arguments:
+        calc_plist_path:
+          description: path to binary plist with entry to open calculator
+          type: Path
+          default: PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist
       executor:
-        steps: |
-          1. create a custom plist:
+        command: 'cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
 
-              ~/Library/Preferences/com.apple.loginwindow.plist
+          '
+        cleanup_command: 'rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
 
-          or
-
-              ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
-        name: manual
-    - name: Re-Opened Applications
+          '
+        name: sh
+    - name: Re-Opened Applications using LoginHook
       auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb
       description: |
         Mac Defaults
@@ -63827,6 +63878,53 @@ persistence:
           '
         elevation_required: true
         name: sh
+    - name: Append to existing loginwindow for Re-Opened Applications
+      auto_generated_guid: 766b6c3c-9353-4033-8b7e-38b309fa3a93
+      description: |
+        Appends an entry to launch Calculator hidden loginwindow.*.plist for next login.
+        Note that the change may not result in the added Calculator program launching on next user login.
+        It may depend on which version of macOS you are running on.
+      supported_platforms:
+      - macos
+      input_arguments:
+        objc_source_path:
+          description: path to objective C program
+          type: Path
+          default: PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m
+        exe_path:
+          description: path to compiled program
+          type: Path
+          default: "/tmp/t1547007_append_exe"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
+
+          '
+        get_prereq_command: 'cc #{objc_source_path} -o #{exe_path} -framework Cocoa
+
+          '
+      executor:
+        command: |
+          FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
+          if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
+          echo save backup copy to /tmp/
+          cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
+          echo before
+          plutil -p ${FILE}
+          echo overwriting...
+          #{exe_path} ${FILE} && echo after && plutil -p ${FILE}
+        cleanup_command: |
+          rm -f #{exe_path}
+          # revert to backup copy
+          FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
+          if [ -z "${FILE}" ] ; then
+             exit 0
+          fi
+          mv /tmp/t1547007_loginwindow-backup.plist ${FILE}
+        name: sh
   T1574.002:
     technique:
       x_mitre_platforms:

atomics/T1547.007/T1547.007.md

@@ -6,17 +6,17 @@ Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003)
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Re-Opened Applications](#atomic-test-1---re-opened-applications)
+- [Atomic Test #1 - Copy in loginwindow.plist for Re-Opened Applications](#atomic-test-1---copy-in-loginwindowplist-for-re-opened-applications)
 
-- [Atomic Test #2 - Re-Opened Applications](#atomic-test-2---re-opened-applications)
+- [Atomic Test #2 - Re-Opened Applications using LoginHook](#atomic-test-2---re-opened-applications-using-loginhook)
+
+- [Atomic Test #3 - Append to existing loginwindow for Re-Opened Applications](#atomic-test-3---append-to-existing-loginwindow-for-re-opened-applications)
 
 
 <br/>
 
-## Atomic Test #1 - Re-Opened Applications
-Plist Method
-
-[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
+## Atomic Test #1 - Copy in loginwindow.plist for Re-Opened Applications
+Copy in new loginwindow.plist to launch Calculator.
 
 **Supported Platforms:** macOS
 
@@ -27,16 +27,23 @@ Plist Method
 
 
 
-#### Run it with these steps! 
-1. create a custom plist:
-
-    ~/Library/Preferences/com.apple.loginwindow.plist
-
-or
-
-    ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| calc_plist_path | path to binary plist with entry to open calculator | Path | PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist|
 
 
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
+```
+
+#### Cleanup Commands:
+```sh
+rm -f ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
+```
 
 
 
@@ -45,7 +52,7 @@ or
 <br/>
 <br/>
 
-## Atomic Test #2 - Re-Opened Applications
+## Atomic Test #2 - Re-Opened Applications using LoginHook
 Mac Defaults
 
 [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
@@ -81,4 +88,69 @@ sudo defaults delete com.apple.loginwindow LoginHook
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Append to existing loginwindow for Re-Opened Applications
+Appends an entry to launch Calculator hidden loginwindow.*.plist for next login.
+Note that the change may not result in the added Calculator program launching on next user login.
+It may depend on which version of macOS you are running on.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 766b6c3c-9353-4033-8b7e-38b309fa3a93
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| objc_source_path | path to objective C program | Path | PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m|
+| exe_path | path to compiled program | Path | /tmp/t1547007_append_exe|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
+if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
+echo save backup copy to /tmp/
+cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
+echo before
+plutil -p ${FILE}
+echo overwriting...
+#{exe_path} ${FILE} && echo after && plutil -p ${FILE}
+```
+
+#### Cleanup Commands:
+```sh
+rm -f #{exe_path}
+# revert to backup copy
+FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
+if [ -z "${FILE}" ] ; then
+   exit 0
+fi
+mv /tmp/t1547007_loginwindow-backup.plist ${FILE}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: compile C program
+##### Check Prereq Commands:
+```bash
+if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+cc #{objc_source_path} -o #{exe_path} -framework Cocoa
+```
+
+
+
+
 <br/>