Detect Startup Items in CrowdStrike LogScale
Adversaries may use startup items automatically executed at boot initialization to establish persistence on macOS systems. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information (StartupParameters.plist) used by the system to determine execution order. Although technically deprecated in favor of Launch Daemons, the /Library/StartupItems directory may still exist on systems. An adversary can create the appropriate folders and files in the StartupItems directory to register their own persistence mechanism that executes as root during system boot.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.005 Startup Items
- Canonical reference
- https://attack.mitre.org/techniques/T1037/005/
LogScale Detection Query
#event_simpleName = /^(MacFileWritten|MacFileDeleted|ProcessRollup2)$/
| where FilePath = /\/Library\/StartupItems\// OR FileName = /StartupParameters\.plist/ OR CommandLine = /\/Library\/StartupItems/
| IsPlistCreation := if(FileName = /StartupParameters\.plist/, 1, 0)
| IsDirectoryCreation := if(CommandLine = /mkdir.*StartupItems/, 1, 0)
| IsChmod := if(CommandLine = /chmod.*StartupItems/, 1, 0)
| IsCopy := if(CommandLine = /cp.*StartupItems/, 1, 0)
| SuspicionScore := IsPlistCreation + IsDirectoryCreation + IsChmod + IsCopy
| table([_timeutc, ComputerName, UserName, FilePath, FileName, CommandLine, IsPlistCreation, IsDirectoryCreation, IsChmod, IsCopy, SuspicionScore])
| sort(field=_timeutc, order=desc)CrowdStrike LogScale query targeting macOS Falcon sensor events (MacFileWritten, MacFileDeleted, ProcessRollup2) for file writes and process executions involving /Library/StartupItems or StartupParameters.plist. Mirrors the SPL suspicion-score model using LogScale field assignments to flag and prioritize distinct persistence setup actions.
Data Sources
Required Tables
False Positives & Tuning
- macOS OS update or migration processes that interact with /Library/StartupItems during upgrade routines to clean up deprecated launch mechanisms
- CrowdStrike Falcon sensor self-configuration or update routines that traverse macOS system library paths during sensor initialization
- Enterprise software with legacy installer components (e.g., older versions of Oracle Java, Adobe products) that reference or register StartupItems for service management
Other platforms for T1037.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Startup Item Directory and Plist
Expected signal: File creation events for /Library/StartupItems/AtomicTestItem/ (directory), /Library/StartupItems/AtomicTestItem/AtomicTestItem (shell script), and /Library/StartupItems/AtomicTestItem/StartupParameters.plist. Process creation events for mkdir, bash, chmod with command lines referencing /Library/StartupItems. macOS Unified Log entries for sudo usage. MDE DeviceFileEvents with FolderPath containing /Library/StartupItems and FileName=StartupParameters.plist.
- Test 2Deploy Startup Item with Network Callback Script
Expected signal: File creation events for /Library/StartupItems/UpdateHelper/ directory and contents. Process creation events for mkdir, bash, chmod with /Library/StartupItems path. The shell script content will contain 'curl' and a network callback URL visible in file content telemetry. Spotlight metadata (kMDItemWhereFroms) will be absent since file was created locally. MDE DeviceFileEvents entries for both the executable and StartupParameters.plist.
- Test 3Simulate Startup Item Execution via Shell
Expected signal: Process creation events: sudo, bash, and the AtomicExecTest script executing with root privileges. The FolderPath /Library/StartupItems/AtomicExecTest/ appears in both file creation and process execution events. The id and echo commands run as root (uid=0) are visible in child process telemetry. MDE DeviceProcessEvents entries show InitiatingProcessFileName=bash with FolderPath containing /Library/StartupItems.
References (8)
- https://attack.mitre.org/techniques/T1037/005/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://objective-see.org/blog.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
- https://www.kaspersky.com/blog/adwind-rat/11430/
- https://support.apple.com/guide/deployment/startup-items-dep7b3ee4a0e/web
- https://www.jamf.com/blog/how-malware-persists-on-macos/
Unlock Pro Content
Get the full detection package for T1037.005 including response playbook, investigation guide, and atomic red team tests.