Detect Startup Items in Elastic Security
Adversaries may use startup items automatically executed at boot initialization to establish persistence on macOS systems. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information (StartupParameters.plist) used by the system to determine execution order. Although technically deprecated in favor of Launch Daemons, the /Library/StartupItems directory may still exist on systems. An adversary can create the appropriate folders and files in the StartupItems directory to register their own persistence mechanism that executes as root during system boot.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.005 Startup Items
- Canonical reference
- https://attack.mitre.org/techniques/T1037/005/
Elastic Detection Query
any where host.os.type == "macos" and (
(
event.category == "file" and (
file.path : "/Library/StartupItems/*" or
file.name : "StartupParameters.plist"
)
) or
(
event.category == "process" and (
process.command_line : "*StartupItems*" or
process.args : "/Library/StartupItems*" or
process.command_line : "*StartupParameters.plist*"
)
)
)Detects file creation or modification in /Library/StartupItems and process activity referencing this deprecated macOS persistence directory. Covers direct file system writes to startup item paths and shell commands (mkdir, cp, chmod) targeting those paths. Matches behavior of the KQL/SPL detections by spanning both file and process event categories.
Data Sources
Required Tables
False Positives & Tuning
- Legacy macOS software installers that still use the deprecated /Library/StartupItems mechanism on older OS versions
- System administrators running scripted macOS provisioning tools (e.g., Munki, Homebrew casks) that create startup items for legitimate services
- Security or MDM management agents (e.g., Jamf Pro, Kandji) that legitimately enumerate or manage startup items during software deployment workflows
Other platforms for T1037.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Startup Item Directory and Plist
Expected signal: File creation events for /Library/StartupItems/AtomicTestItem/ (directory), /Library/StartupItems/AtomicTestItem/AtomicTestItem (shell script), and /Library/StartupItems/AtomicTestItem/StartupParameters.plist. Process creation events for mkdir, bash, chmod with command lines referencing /Library/StartupItems. macOS Unified Log entries for sudo usage. MDE DeviceFileEvents with FolderPath containing /Library/StartupItems and FileName=StartupParameters.plist.
- Test 2Deploy Startup Item with Network Callback Script
Expected signal: File creation events for /Library/StartupItems/UpdateHelper/ directory and contents. Process creation events for mkdir, bash, chmod with /Library/StartupItems path. The shell script content will contain 'curl' and a network callback URL visible in file content telemetry. Spotlight metadata (kMDItemWhereFroms) will be absent since file was created locally. MDE DeviceFileEvents entries for both the executable and StartupParameters.plist.
- Test 3Simulate Startup Item Execution via Shell
Expected signal: Process creation events: sudo, bash, and the AtomicExecTest script executing with root privileges. The FolderPath /Library/StartupItems/AtomicExecTest/ appears in both file creation and process execution events. The id and echo commands run as root (uid=0) are visible in child process telemetry. MDE DeviceProcessEvents entries show InitiatingProcessFileName=bash with FolderPath containing /Library/StartupItems.
References (8)
- https://attack.mitre.org/techniques/T1037/005/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://objective-see.org/blog.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
- https://www.kaspersky.com/blog/adwind-rat/11430/
- https://support.apple.com/guide/deployment/startup-items-dep7b3ee4a0e/web
- https://www.jamf.com/blog/how-malware-persists-on-macos/
Unlock Pro Content
Get the full detection package for T1037.005 including response playbook, investigation guide, and atomic red team tests.