T1037.005 Startup Items Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1037.005 - macOS Startup Items Persistence Detection
// Detects file creation/modification in /Library/StartupItems or related startup item paths
// Note: macOS telemetry via Microsoft Defender for Endpoint (MDE) on macOS
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has "/Library/StartupItems"
    or FileName =~ "StartupParameters.plist"
| extend StartupItemDir = extract(@"(/Library/StartupItems/[^/]+)", 1, FolderPath)
| extend IsPlist = FileName endswith ".plist"
| extend IsExecutable = not(FileName endswith ".plist") and not(FileName endswith ".txt") and not(FileName endswith ".log")
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, StartupItemDir, IsPlist, IsExecutable
| sort by Timestamp desc
| union (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has "/Library/StartupItems"
        or ProcessCommandLine has "StartupParameters.plist"
        or (ProcessCommandLine has "mkdir" and ProcessCommandLine has "/Library/StartupItems")
        or (ProcessCommandLine has "cp" and ProcessCommandLine has "/Library/StartupItems")
        or (ProcessCommandLine has "chmod" and ProcessCommandLine has "/Library/StartupItems")
    | project Timestamp, DeviceName, AccountName, ActionType=ActionType, FileName,
              FolderPath=InitiatingProcessFolderPath, InitiatingProcessFileName,
              InitiatingProcessCommandLine, InitiatingProcessAccountName,
              StartupItemDir="", IsPlist=false, IsExecutable=false
    | sort by Timestamp desc
)

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (macOS)

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate third-party macOS software installers that still use the deprecated StartupItems mechanism for compatibility with older macOS versions
System administrators or IT teams manually creating startup items for legacy application compatibility
macOS system updates or migration tools that read or restore /Library/StartupItems content from backups
Security or monitoring software that scans /Library/StartupItems as part of system inventory or compliance checks

Splunk

spl

index=mac_logs (sourcetype="jamf:pro" OR sourcetype="syslog" OR sourcetype="macos:unified_log" OR sourcetype="microsoft:defender:atp")
| eval event_type=coalesce(event_type, sourcetype)
| eval file_path=coalesce(file_path, FilePath, FolderPath, path, "")
| eval process_cmd=coalesce(process_cmd, CommandLine, ProcessCommandLine, cmdline, "")
| eval user=coalesce(user, AccountName, User, username, "")
| eval host_name=coalesce(host, DeviceName, hostname, "")
| where (match(file_path, "/Library/StartupItems"))
    OR (match(process_cmd, "/Library/StartupItems"))
    OR (match(file_path, "StartupParameters\\.plist"))
    OR (match(process_cmd, "StartupParameters\\.plist"))
| eval IsPlistCreation=if(match(file_path, "StartupParameters\\.plist"), 1, 0)
| eval IsDirectoryCreation=if(match(process_cmd, "mkdir.*StartupItems"), 1, 0)
| eval IsChmod=if(match(process_cmd, "chmod.*StartupItems"), 1, 0)
| eval IsCopy=if(match(process_cmd, "cp.*StartupItems"), 1, 0)
| eval SuspicionScore=IsPlistCreation + IsDirectoryCreation + IsChmod + IsCopy
| table _time, host_name, user, file_path, process_cmd, IsPlistCreation, IsDirectoryCreation, IsChmod, IsCopy, SuspicionScore
| sort - _time
| union [
    search index=mac_logs sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    | where 1=0
]
| append [
    search index=mac_logs (sourcetype="syslog" OR sourcetype="macos:unified_log")
        ("/Library/StartupItems" OR "StartupParameters.plist")
    | eval file_path=coalesce(file_path, message, "")
    | eval process_cmd=coalesce(process_cmd, cmdline, message, "")
    | eval user=coalesce(user, username, "")
    | eval host_name=coalesce(host, hostname, "")
    | eval IsPlistCreation=if(match(file_path, "StartupParameters\\.plist") OR match(process_cmd, "StartupParameters\\.plist"), 1, 0)
    | eval IsDirectoryCreation=if(match(process_cmd, "mkdir.*StartupItems"), 1, 0)
    | eval IsChmod=if(match(process_cmd, "chmod.*StartupItems"), 1, 0)
    | eval IsCopy=if(match(process_cmd, "cp.*StartupItems"), 1, 0)
    | eval SuspicionScore=IsPlistCreation + IsDirectoryCreation + IsChmod + IsCopy
    | where SuspicionScore > 0
    | table _time, host_name, user, file_path, process_cmd, IsPlistCreation, IsDirectoryCreation, IsChmod, IsCopy, SuspicionScore
    | sort - _time
]

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation macOS Unified Log Jamf Pro Microsoft Defender for Endpoint (macOS)

Required Sourcetypes

syslog macos:unified_log

False Positives

Legitimate third-party macOS software installers that still use the deprecated StartupItems mechanism for compatibility with older macOS versions
System administrators or IT teams manually creating startup items for legacy application compatibility
macOS system updates or migration tools that read or restore /Library/StartupItems content from backups
Security or monitoring software that scans /Library/StartupItems as part of system inventory or compliance checks

Elastic Security (EQL)

eql

any where host.os.type == "macos" and (
  (
    event.category == "file" and (
      file.path : "/Library/StartupItems/*" or
      file.name : "StartupParameters.plist"
    )
  ) or
  (
    event.category == "process" and (
      process.command_line : "*StartupItems*" or
      process.args : "/Library/StartupItems*" or
      process.command_line : "*StartupParameters.plist*"
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security (macOS agent) Auditbeat (macOS file and process modules)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-*

False Positives

Legacy macOS software installers that still use the deprecated /Library/StartupItems mechanism on older OS versions
System administrators running scripted macOS provisioning tools (e.g., Munki, Homebrew casks) that create startup items for legitimate services
Security or MDM management agents (e.g., Jamf Pro, Kandji) that legitimately enumerate or manage startup items during software deployment workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "filename" AS file_path,
  "Command" AS process_cmd,
  hostname,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  CATEGORYNAME(category) AS event_category
FROM events
WHERE (
  LOWER("filename") LIKE '%/library/startupitems%'
  OR LOWER("Command") LIKE '%/library/startupitems%'
  OR LOWER("filename") LIKE '%startupparameters.plist%'
  OR LOWER("Command") LIKE '%startupparameters.plist%'
)
AND LOGSOURCETYPENAME(devicetype) IN (
  'Apple OS X Unified Log',
  'Jamf Pro',
  'Microsoft Defender ATP',
  'Syslog'
)
AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Apple macOS Unified Log Jamf Pro Microsoft Defender ATP (macOS) macOS Syslog

Required Tables

events

False Positives

Legacy enterprise software packages installed prior to the deprecation of StartupItems that remain in place and are referenced by management tools
IT administrative scripts that audit or clean up /Library/StartupItems as part of macOS compliance or upgrade procedures
Backup or disk imaging software (e.g., Carbon Copy Cloner, SuperDuper) that traverses /Library/StartupItems during full system backup operations

Sumo Logic CSE

sql

(_sourceCategory="macos" OR _sourceCategory="jamf" OR _sourceCategory="defender/macos" OR _sourceCategory="syslog/macos")
| parse "*" as raw_message nodrop
| where (
    %"file_path" matches "*/Library/StartupItems*"
    OR %"process_cmd" matches "*StartupItems*"
    OR %"file_path" matches "*StartupParameters.plist*"
    OR %"process_cmd" matches "*StartupParameters.plist*"
    OR raw_message matches "*StartupItems*"
    OR raw_message matches "*StartupParameters.plist*"
  )
| if(%"file_path" matches "*StartupParameters.plist*" OR %"process_cmd" matches "*StartupParameters.plist*", 1, 0) as IsPlistCreation
| if(%"process_cmd" matches "*mkdir*StartupItems*", 1, 0) as IsDirectoryCreation
| if(%"process_cmd" matches "*chmod*StartupItems*", 1, 0) as IsChmod
| if(%"process_cmd" matches "*cp*StartupItems*", 1, 0) as IsCopy
| IsPlistCreation + IsDirectoryCreation + IsChmod + IsCopy as SuspicionScore
| fields _messagetime, %"host", %"user", %"file_path", %"process_cmd", IsPlistCreation, IsDirectoryCreation, IsChmod, IsCopy, SuspicionScore
| sort by _messagetime desc

high severity medium confidence

Data Sources

macOS Unified Log Jamf Pro Microsoft Defender for Endpoint (macOS) macOS Syslog

Required Tables

_sourceCategory=macos _sourceCategory=jamf _sourceCategory=defender/macos

False Positives

Legacy enterprise applications installed before the deprecation of StartupItems that remain registered and are periodically referenced by macOS system processes
IT provisioning scripts that enumerate or document /Library/StartupItems during macOS fleet upgrades or migrations to LaunchDaemons
Security assessment tools performing authorized persistence enumeration on macOS endpoints as part of red team or posture review exercises

Google Chronicle / SecOps

yaral

rule t1037_005_macos_startup_items_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation or modification of files in /Library/StartupItems or StartupParameters.plist, indicating macOS startup item persistence (T1037.005)"
    mitre_attack_technique = "T1037.005"
    mitre_attack_tactic = "Persistence"
    severity = "HIGH"
    platform = "macOS"
    reference = "https://attack.mitre.org/techniques/T1037/005/"

  events:
    (
      $e.metadata.event_type = "FILE_CREATION" or
      $e.metadata.event_type = "FILE_MODIFICATION" or
      $e.metadata.event_type = "PROCESS_LAUNCH"
    )
    (
      re.regex($e.target.file.full_path, `/Library/StartupItems/`) or
      re.regex($e.target.process.command_line, `/Library/StartupItems`) or
      re.regex($e.target.file.full_path, `StartupParameters\.plist`) or
      re.regex($e.target.process.command_line, `StartupParameters\.plist`)
    )
    $e.principal.hostname = $hostname

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle (macOS endpoint telemetry via Unified Data Model) Chronicle UDM-normalized macOS events

Required Tables

UDM events: FILE_CREATION, FILE_MODIFICATION, PROCESS_LAUNCH

False Positives

Legitimate macOS system management tools or older commercial software that still interacts with /Library/StartupItems as part of installation or service registration
Security assessment tools conducting authorized persistence enumeration or red team exercises on macOS endpoints ingested into Chronicle
IT provisioning automation that cleans up or documents legacy startup items during macOS fleet upgrades, generating file access events against the StartupItems path

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(MacFileWritten|MacFileDeleted|ProcessRollup2)$/
| where FilePath = /\/Library\/StartupItems\// OR FileName = /StartupParameters\.plist/ OR CommandLine = /\/Library\/StartupItems/
| IsPlistCreation := if(FileName = /StartupParameters\.plist/, 1, 0)
| IsDirectoryCreation := if(CommandLine = /mkdir.*StartupItems/, 1, 0)
| IsChmod := if(CommandLine = /chmod.*StartupItems/, 1, 0)
| IsCopy := if(CommandLine = /cp.*StartupItems/, 1, 0)
| SuspicionScore := IsPlistCreation + IsDirectoryCreation + IsChmod + IsCopy
| table([_timeutc, ComputerName, UserName, FilePath, FileName, CommandLine, IsPlistCreation, IsDirectoryCreation, IsChmod, IsCopy, SuspicionScore])
| sort(field=_timeutc, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor (macOS) Falcon MacFileWritten events Falcon ProcessRollup2 events

Required Tables

MacFileWritten MacFileDeleted ProcessRollup2

False Positives

macOS OS update or migration processes that interact with /Library/StartupItems during upgrade routines to clean up deprecated launch mechanisms
CrowdStrike Falcon sensor self-configuration or update routines that traverse macOS system library paths during sensor initialization
Enterprise software with legacy installer components (e.g., older versions of Oracle Java, Adobe products) that reference or register StartupItems for service management

Startup Items

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections