T1037.005 Splunk · SPL

Detect Startup Items in Splunk

Adversaries may use startup items automatically executed at boot initialization to establish persistence on macOS systems. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information (StartupParameters.plist) used by the system to determine execution order. Although technically deprecated in favor of Launch Daemons, the /Library/StartupItems directory may still exist on systems. An adversary can create the appropriate folders and files in the StartupItems directory to register their own persistence mechanism that executes as root during system boot.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1037 Boot or Logon Initialization Scripts
Sub-technique
T1037.005 Startup Items
Canonical reference
https://attack.mitre.org/techniques/T1037/005/

SPL Detection Query

Splunk (SPL)
spl 
index=mac_logs (sourcetype="jamf:pro" OR sourcetype="syslog" OR sourcetype="macos:unified_log" OR sourcetype="microsoft:defender:atp")
| eval event_type=coalesce(event_type, sourcetype)
| eval file_path=coalesce(file_path, FilePath, FolderPath, path, "")
| eval process_cmd=coalesce(process_cmd, CommandLine, ProcessCommandLine, cmdline, "")
| eval user=coalesce(user, AccountName, User, username, "")
| eval host_name=coalesce(host, DeviceName, hostname, "")
| where (match(file_path, "/Library/StartupItems"))
    OR (match(process_cmd, "/Library/StartupItems"))
    OR (match(file_path, "StartupParameters\\.plist"))
    OR (match(process_cmd, "StartupParameters\\.plist"))
| eval IsPlistCreation=if(match(file_path, "StartupParameters\\.plist"), 1, 0)
| eval IsDirectoryCreation=if(match(process_cmd, "mkdir.*StartupItems"), 1, 0)
| eval IsChmod=if(match(process_cmd, "chmod.*StartupItems"), 1, 0)
| eval IsCopy=if(match(process_cmd, "cp.*StartupItems"), 1, 0)
| eval SuspicionScore=IsPlistCreation + IsDirectoryCreation + IsChmod + IsCopy
| table _time, host_name, user, file_path, process_cmd, IsPlistCreation, IsDirectoryCreation, IsChmod, IsCopy, SuspicionScore
| sort - _time
| union [
    search index=mac_logs sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    | where 1=0
]
| append [
    search index=mac_logs (sourcetype="syslog" OR sourcetype="macos:unified_log")
        ("/Library/StartupItems" OR "StartupParameters.plist")
    | eval file_path=coalesce(file_path, message, "")
    | eval process_cmd=coalesce(process_cmd, cmdline, message, "")
    | eval user=coalesce(user, username, "")
    | eval host_name=coalesce(host, hostname, "")
    | eval IsPlistCreation=if(match(file_path, "StartupParameters\\.plist") OR match(process_cmd, "StartupParameters\\.plist"), 1, 0)
    | eval IsDirectoryCreation=if(match(process_cmd, "mkdir.*StartupItems"), 1, 0)
    | eval IsChmod=if(match(process_cmd, "chmod.*StartupItems"), 1, 0)
    | eval IsCopy=if(match(process_cmd, "cp.*StartupItems"), 1, 0)
    | eval SuspicionScore=IsPlistCreation + IsDirectoryCreation + IsChmod + IsCopy
    | where SuspicionScore > 0
    | table _time, host_name, user, file_path, process_cmd, IsPlistCreation, IsDirectoryCreation, IsChmod, IsCopy, SuspicionScore
    | sort - _time
]
high severity medium confidence

Detects macOS Startup Items persistence by searching across macOS log sourcetypes for file path references to /Library/StartupItems or StartupParameters.plist. Scores events by activity type (plist creation, directory creation, chmod, copy operations) and surfaces the highest-risk events. Designed for environments ingesting macOS syslog, Unified Log, Jamf Pro, or Microsoft Defender ATP macOS telemetry into Splunk.

Data Sources

File: File CreationFile: File ModificationProcess: Process CreationmacOS Unified LogJamf ProMicrosoft Defender for Endpoint (macOS)

Required Sourcetypes

syslogmacos:unified_log

False Positives & Tuning

  • Legitimate third-party macOS software installers that still use the deprecated StartupItems mechanism for compatibility with older macOS versions
  • System administrators or IT teams manually creating startup items for legacy application compatibility
  • macOS system updates or migration tools that read or restore /Library/StartupItems content from backups
  • Security or monitoring software that scans /Library/StartupItems as part of system inventory or compliance checks
Download portable Sigma rule (.yml)

Other platforms for T1037.005

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Startup Item Directory and Plist

    Expected signal: File creation events for /Library/StartupItems/AtomicTestItem/ (directory), /Library/StartupItems/AtomicTestItem/AtomicTestItem (shell script), and /Library/StartupItems/AtomicTestItem/StartupParameters.plist. Process creation events for mkdir, bash, chmod with command lines referencing /Library/StartupItems. macOS Unified Log entries for sudo usage. MDE DeviceFileEvents with FolderPath containing /Library/StartupItems and FileName=StartupParameters.plist.

  2. Test 2Deploy Startup Item with Network Callback Script

    Expected signal: File creation events for /Library/StartupItems/UpdateHelper/ directory and contents. Process creation events for mkdir, bash, chmod with /Library/StartupItems path. The shell script content will contain 'curl' and a network callback URL visible in file content telemetry. Spotlight metadata (kMDItemWhereFroms) will be absent since file was created locally. MDE DeviceFileEvents entries for both the executable and StartupParameters.plist.

  3. Test 3Simulate Startup Item Execution via Shell

    Expected signal: Process creation events: sudo, bash, and the AtomicExecTest script executing with root privileges. The FolderPath /Library/StartupItems/AtomicExecTest/ appears in both file creation and process execution events. The id and echo commands run as root (uid=0) are visible in child process telemetry. MDE DeviceProcessEvents entries show InitiatingProcessFileName=bash with FolderPath containing /Library/StartupItems.

Last updated: 2026-04-16 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1037.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1037Boot or Logon Initialization Scripts

Related Sub-techniques

T1037.001Logon Script (Windows)T1037.002Login HookT1037.003Network Logon ScriptT1037.004RC Scripts

Related Techniques

T1037Boot or Logon Initialization ScriptsT1543.004Launch DaemonT1543.001Launch AgentT1059.006PythonT1059.004Unix ShellT1105Ingress Tool TransferT1548.003Sudo and Sudo CachingT1036.005Match Legitimate Resource Name or LocationT1070.004File Deletion

Same Tactic: Persistence

Popular Detections