Re-opened Applications

Information

• Name: Re-opened Applications

• ID: T1547.007

• Tactics: TA0003, TA0004

• Technique: T1547

Introduction

The MITRE ATT&CK sub-technique "Re-opened Applications" (T1547.007) refers to adversaries leveraging operating system features designed to automatically re-open previously running applications upon system reboot or user login. Attackers exploit these legitimate mechanisms to maintain persistence and ensure continued access to compromised systems. By embedding malicious payloads within applications or scripts that automatically restart, adversaries can seamlessly regain execution after system restarts or user logins without explicit user interaction.

Deep Dive Into Technique

The "Re-opened Applications" sub-technique exploits built-in functionality commonly found in modern operating systems, particularly macOS and Windows, to re-launch applications that were active prior to shutdown or logout. Attackers leverage this behavior by embedding malicious components within legitimate applications or by creating malicious scripts or executables that are configured to auto-start when the user logs back in.

Technical details and execution methods include:

• macOS Persistence via Saved Application State:

  • macOS automatically saves the state of open applications upon system shutdown or logout.

  • Applications are relaunched automatically upon user login if the "Reopen windows when logging back in" option is enabled.

  • Attackers may embed malicious payloads or scripts within legitimate applications to exploit this feature.

  • Malicious scripts or binaries placed in directories such as ~/Library/Saved Application State/ or within application-specific state files can trigger execution upon reboot.

• Windows Persistence via Application Restart Manager (ARM):

  • Windows uses the Application Restart Manager to automatically restart applications after system updates or restarts.

  • Attackers may modify registry keys or application manifests to register malicious executables or scripts with ARM.

  • Malicious code placed within application restart configurations ensures automatic execution upon reboot.

Real-world procedures attackers may utilize:

• Embedding malicious payloads within legitimate applications' saved state files.

• Modifying application manifests or registry entries to trigger malicious scripts upon system restart.

• Leveraging scripting languages such as AppleScript, PowerShell, or batch scripts to automate malicious execution during application reopening events.

When this Technique is Usually Used

This sub-technique is typically employed during the persistence phase of an attack lifecycle. Attackers use it to maintain continuous presence and regain access following system reboots, user logouts, or software updates. Common scenarios and stages include:

• Post-Exploitation Persistence: After initial compromise, attackers establish long-term access by embedding malicious components into applications that automatically reopen.

• Privilege Escalation and Lateral Movement: Attackers may combine this technique with privilege escalation to ensure elevated privileges persist across reboots.

• Stealthy Long-Term Access: Attackers seeking stealth and minimal detection risk leverage this legitimate feature to blend with regular system behaviors, reducing suspicion among users and administrators.

• Data Exfiltration and Command-and-Control (C2): Malicious scripts or applications configured for reopening can periodically communicate with attacker-controlled infrastructure.

How this Technique is Usually Detected

Detection of "Re-opened Applications" sub-technique requires monitoring specific system behaviors, configurations, and artifacts:

• File and Directory Monitoring:

  • Monitor directories such as ~/Library/Saved Application State/ (macOS) and %AppData%\Microsoft\Windows\Recent\AutomaticDestinations (Windows) for suspicious or anomalous modifications.

  • Track the creation and modification of saved application state files or manifests.

• Registry and Configuration Monitoring:

  • Monitor Windows registry keys related to Application Restart Manager (HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce or ARM-specific registry entries).

  • Detect abnormal changes or additions to application manifests that specify auto-restart behavior.

• Process and Execution Monitoring:

  • Implement endpoint detection and response (EDR) tools to monitor processes that start automatically upon login or reboot.

  • Identify unexpected or malicious processes that consistently restart after system reboot or logout.

• Log Analysis and Behavioral Analytics:

  • Analyze system logs for recurring execution of suspicious or unknown processes.

  • Utilize behavioral analytics to detect anomalous application reopen events, particularly those involving scripts or binaries not commonly reopened by users.

Indicators of Compromise (IoCs):

• Unexpected scripts or binaries located in saved application state directories.

• Suspicious registry entries or manifest files indicating application restart configurations.

• Unusual network connections initiated immediately after user login or system reboot.

• Repeated execution of unknown or unusual executables upon system startup.

Why it is Important to Detect This Technique

Early detection of the "Re-opened Applications" sub-technique is critical due to its potential impacts on systems and networks:

• Persistent Access: Attackers maintain long-term, stealthy access to compromised systems, complicating remediation and containment efforts.

• Privilege Escalation and Lateral Movement: Persistent malicious processes can facilitate further privilege escalation, lateral movement, and deeper compromise within networks.

• Data Exfiltration Risk: Continuous malicious execution increases the risk of sensitive data exfiltration, intellectual property theft, or espionage activities.

• Increased Difficulty of Remediation: Undetected persistence mechanisms complicate incident response, as malicious components may continually re-establish themselves after remediation attempts.

• Stealth and Evasion: Leveraging legitimate OS features allows attackers to evade traditional security controls and blend seamlessly with normal user behaviors, reducing detection likelihood.

Examples

Real-world examples and attack scenarios involving the "Re-opened Applications" sub-technique include:

• OceanLotus (APT32) macOS Malware:

  • OceanLotus, an advanced persistent threat (APT) group, utilized macOS saved application states to persistently execute malicious payloads.

  • Malicious scripts were embedded within legitimate application state files, ensuring automatic execution upon user login or reboot.

  • Impact included stealthy espionage activities and persistent access to victim systems.

• WindTail Malware (macOS):

  • WindTail malware leveraged Apple's saved application state feature to persist across system reboots.

  • Malicious payloads were executed automatically upon user login, enabling continuous data exfiltration and espionage activities targeting specific organizations.

• Windows Malware Utilizing Application Restart Manager:

  • Certain Windows malware families have exploited ARM by modifying application manifests or registry entries to ensure automatic execution after system updates or restarts.

  • Attackers configured malicious scripts or binaries to execute seamlessly, maintaining persistent control and enabling continuous command-and-control communications.

In each scenario, attackers utilized legitimate system features to maintain stealthy persistence, evade detection, and ensure continuous malicious activity.