T1037.005 IBM QRadar · QRadar

Detect Startup Items in IBM QRadar

Adversaries may use startup items automatically executed at boot initialization to establish persistence on macOS systems. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information (StartupParameters.plist) used by the system to determine execution order. Although technically deprecated in favor of Launch Daemons, the /Library/StartupItems directory may still exist on systems. An adversary can create the appropriate folders and files in the StartupItems directory to register their own persistence mechanism that executes as root during system boot.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1037 Boot or Logon Initialization Scripts
Sub-technique
T1037.005 Startup Items
Canonical reference
https://attack.mitre.org/techniques/T1037/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "filename" AS file_path,
  "Command" AS process_cmd,
  hostname,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  CATEGORYNAME(category) AS event_category
FROM events
WHERE (
  LOWER("filename") LIKE '%/library/startupitems%'
  OR LOWER("Command") LIKE '%/library/startupitems%'
  OR LOWER("filename") LIKE '%startupparameters.plist%'
  OR LOWER("Command") LIKE '%startupparameters.plist%'
)
AND LOGSOURCETYPENAME(devicetype) IN (
  'Apple OS X Unified Log',
  'Jamf Pro',
  'Microsoft Defender ATP',
  'Syslog'
)
AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
high severity medium confidence

AQL query targeting macOS log sources in QRadar for file path or command line references to /Library/StartupItems or StartupParameters.plist. Applies a LOGSOURCETYPENAME filter to focus on relevant macOS data sources and covers both file creation events and process execution indicators within a 24-hour window.

Data Sources

Apple macOS Unified LogJamf ProMicrosoft Defender ATP (macOS)macOS Syslog

Required Tables

events

False Positives & Tuning

  • Legacy enterprise software packages installed prior to the deprecation of StartupItems that remain in place and are referenced by management tools
  • IT administrative scripts that audit or clean up /Library/StartupItems as part of macOS compliance or upgrade procedures
  • Backup or disk imaging software (e.g., Carbon Copy Cloner, SuperDuper) that traverses /Library/StartupItems during full system backup operations
Download portable Sigma rule (.yml)

Other platforms for T1037.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Startup Item Directory and Plist

    Expected signal: File creation events for /Library/StartupItems/AtomicTestItem/ (directory), /Library/StartupItems/AtomicTestItem/AtomicTestItem (shell script), and /Library/StartupItems/AtomicTestItem/StartupParameters.plist. Process creation events for mkdir, bash, chmod with command lines referencing /Library/StartupItems. macOS Unified Log entries for sudo usage. MDE DeviceFileEvents with FolderPath containing /Library/StartupItems and FileName=StartupParameters.plist.

  2. Test 2Deploy Startup Item with Network Callback Script

    Expected signal: File creation events for /Library/StartupItems/UpdateHelper/ directory and contents. Process creation events for mkdir, bash, chmod with /Library/StartupItems path. The shell script content will contain 'curl' and a network callback URL visible in file content telemetry. Spotlight metadata (kMDItemWhereFroms) will be absent since file was created locally. MDE DeviceFileEvents entries for both the executable and StartupParameters.plist.

  3. Test 3Simulate Startup Item Execution via Shell

    Expected signal: Process creation events: sudo, bash, and the AtomicExecTest script executing with root privileges. The FolderPath /Library/StartupItems/AtomicExecTest/ appears in both file creation and process execution events. The id and echo commands run as root (uid=0) are visible in child process telemetry. MDE DeviceProcessEvents entries show InitiatingProcessFileName=bash with FolderPath containing /Library/StartupItems.

Last updated: 2026-04-16 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1037.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1037Boot or Logon Initialization Scripts

Related Sub-techniques

T1037.001Logon Script (Windows)T1037.002Login HookT1037.003Network Logon ScriptT1037.004RC Scripts

Related Techniques

T1037Boot or Logon Initialization ScriptsT1543.004Launch DaemonT1543.001Launch AgentT1059.006PythonT1059.004Unix ShellT1105Ingress Tool TransferT1548.003Sudo and Sudo CachingT1036.005Match Legitimate Resource Name or LocationT1070.004File Deletion

Same Tactic: Persistence

Popular Detections