Detect Startup Items in Microsoft Sentinel
Adversaries may use startup items automatically executed at boot initialization to establish persistence on macOS systems. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information (StartupParameters.plist) used by the system to determine execution order. Although technically deprecated in favor of Launch Daemons, the /Library/StartupItems directory may still exist on systems. An adversary can create the appropriate folders and files in the StartupItems directory to register their own persistence mechanism that executes as root during system boot.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.005 Startup Items
- Canonical reference
- https://attack.mitre.org/techniques/T1037/005/
KQL Detection Query
// T1037.005 - macOS Startup Items Persistence Detection
// Detects file creation/modification in /Library/StartupItems or related startup item paths
// Note: macOS telemetry via Microsoft Defender for Endpoint (MDE) on macOS
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has "/Library/StartupItems"
or FileName =~ "StartupParameters.plist"
| extend StartupItemDir = extract(@"(/Library/StartupItems/[^/]+)", 1, FolderPath)
| extend IsPlist = FileName endswith ".plist"
| extend IsExecutable = not(FileName endswith ".plist") and not(FileName endswith ".txt") and not(FileName endswith ".log")
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName, StartupItemDir, IsPlist, IsExecutable
| sort by Timestamp desc
| union (
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "/Library/StartupItems"
or ProcessCommandLine has "StartupParameters.plist"
or (ProcessCommandLine has "mkdir" and ProcessCommandLine has "/Library/StartupItems")
or (ProcessCommandLine has "cp" and ProcessCommandLine has "/Library/StartupItems")
or (ProcessCommandLine has "chmod" and ProcessCommandLine has "/Library/StartupItems")
| project Timestamp, DeviceName, AccountName, ActionType=ActionType, FileName,
FolderPath=InitiatingProcessFolderPath, InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingProcessAccountName,
StartupItemDir="", IsPlist=false, IsExecutable=false
| sort by Timestamp desc
)Detects persistence attempts via macOS Startup Items by monitoring file creation and modification events in /Library/StartupItems as well as process commands that interact with this directory. Uses Microsoft Defender for Endpoint DeviceFileEvents and DeviceProcessEvents tables to identify both direct file writes and shell commands creating or modifying startup item directories and configuration files. Covers creation of StartupParameters.plist files, executable placement, and chmod operations on startup item content.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate third-party macOS software installers that still use the deprecated StartupItems mechanism for compatibility with older macOS versions
- System administrators or IT teams manually creating startup items for legacy application compatibility
- macOS system updates or migration tools that read or restore /Library/StartupItems content from backups
- Security or monitoring software that scans /Library/StartupItems as part of system inventory or compliance checks
Other platforms for T1037.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Startup Item Directory and Plist
Expected signal: File creation events for /Library/StartupItems/AtomicTestItem/ (directory), /Library/StartupItems/AtomicTestItem/AtomicTestItem (shell script), and /Library/StartupItems/AtomicTestItem/StartupParameters.plist. Process creation events for mkdir, bash, chmod with command lines referencing /Library/StartupItems. macOS Unified Log entries for sudo usage. MDE DeviceFileEvents with FolderPath containing /Library/StartupItems and FileName=StartupParameters.plist.
- Test 2Deploy Startup Item with Network Callback Script
Expected signal: File creation events for /Library/StartupItems/UpdateHelper/ directory and contents. Process creation events for mkdir, bash, chmod with /Library/StartupItems path. The shell script content will contain 'curl' and a network callback URL visible in file content telemetry. Spotlight metadata (kMDItemWhereFroms) will be absent since file was created locally. MDE DeviceFileEvents entries for both the executable and StartupParameters.plist.
- Test 3Simulate Startup Item Execution via Shell
Expected signal: Process creation events: sudo, bash, and the AtomicExecTest script executing with root privileges. The FolderPath /Library/StartupItems/AtomicExecTest/ appears in both file creation and process execution events. The id and echo commands run as root (uid=0) are visible in child process telemetry. MDE DeviceProcessEvents entries show InitiatingProcessFileName=bash with FolderPath containing /Library/StartupItems.
References (8)
- https://attack.mitre.org/techniques/T1037/005/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://objective-see.org/blog.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
- https://www.kaspersky.com/blog/adwind-rat/11430/
- https://support.apple.com/guide/deployment/startup-items-dep7b3ee4a0e/web
- https://www.jamf.com/blog/how-malware-persists-on-macos/
Unlock Pro Content
Get the full detection package for T1037.005 including response playbook, investigation guide, and atomic red team tests.