Detect Startup Items in Sumo Logic CSE
Adversaries may use startup items automatically executed at boot initialization to establish persistence on macOS systems. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information (StartupParameters.plist) used by the system to determine execution order. Although technically deprecated in favor of Launch Daemons, the /Library/StartupItems directory may still exist on systems. An adversary can create the appropriate folders and files in the StartupItems directory to register their own persistence mechanism that executes as root during system boot.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.005 Startup Items
- Canonical reference
- https://attack.mitre.org/techniques/T1037/005/
Sumo Detection Query
(_sourceCategory="macos" OR _sourceCategory="jamf" OR _sourceCategory="defender/macos" OR _sourceCategory="syslog/macos")
| parse "*" as raw_message nodrop
| where (
%"file_path" matches "*/Library/StartupItems*"
OR %"process_cmd" matches "*StartupItems*"
OR %"file_path" matches "*StartupParameters.plist*"
OR %"process_cmd" matches "*StartupParameters.plist*"
OR raw_message matches "*StartupItems*"
OR raw_message matches "*StartupParameters.plist*"
)
| if(%"file_path" matches "*StartupParameters.plist*" OR %"process_cmd" matches "*StartupParameters.plist*", 1, 0) as IsPlistCreation
| if(%"process_cmd" matches "*mkdir*StartupItems*", 1, 0) as IsDirectoryCreation
| if(%"process_cmd" matches "*chmod*StartupItems*", 1, 0) as IsChmod
| if(%"process_cmd" matches "*cp*StartupItems*", 1, 0) as IsCopy
| IsPlistCreation + IsDirectoryCreation + IsChmod + IsCopy as SuspicionScore
| fields _messagetime, %"host", %"user", %"file_path", %"process_cmd", IsPlistCreation, IsDirectoryCreation, IsChmod, IsCopy, SuspicionScore
| sort by _messagetime descSumo Logic CSE query detecting macOS /Library/StartupItems persistence activity across macOS log source categories. Mirrors the SPL suspicion-scoring model by computing indicator flags for plist creation, directory creation, chmod, and file copy operations targeting StartupItems paths, enabling triage prioritization by score.
Data Sources
Required Tables
False Positives & Tuning
- Legacy enterprise applications installed before the deprecation of StartupItems that remain registered and are periodically referenced by macOS system processes
- IT provisioning scripts that enumerate or document /Library/StartupItems during macOS fleet upgrades or migrations to LaunchDaemons
- Security assessment tools performing authorized persistence enumeration on macOS endpoints as part of red team or posture review exercises
Other platforms for T1037.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Startup Item Directory and Plist
Expected signal: File creation events for /Library/StartupItems/AtomicTestItem/ (directory), /Library/StartupItems/AtomicTestItem/AtomicTestItem (shell script), and /Library/StartupItems/AtomicTestItem/StartupParameters.plist. Process creation events for mkdir, bash, chmod with command lines referencing /Library/StartupItems. macOS Unified Log entries for sudo usage. MDE DeviceFileEvents with FolderPath containing /Library/StartupItems and FileName=StartupParameters.plist.
- Test 2Deploy Startup Item with Network Callback Script
Expected signal: File creation events for /Library/StartupItems/UpdateHelper/ directory and contents. Process creation events for mkdir, bash, chmod with /Library/StartupItems path. The shell script content will contain 'curl' and a network callback URL visible in file content telemetry. Spotlight metadata (kMDItemWhereFroms) will be absent since file was created locally. MDE DeviceFileEvents entries for both the executable and StartupParameters.plist.
- Test 3Simulate Startup Item Execution via Shell
Expected signal: Process creation events: sudo, bash, and the AtomicExecTest script executing with root privileges. The FolderPath /Library/StartupItems/AtomicExecTest/ appears in both file creation and process execution events. The id and echo commands run as root (uid=0) are visible in child process telemetry. MDE DeviceProcessEvents entries show InitiatingProcessFileName=bash with FolderPath containing /Library/StartupItems.
References (8)
- https://attack.mitre.org/techniques/T1037/005/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://objective-see.org/blog.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
- https://www.kaspersky.com/blog/adwind-rat/11430/
- https://support.apple.com/guide/deployment/startup-items-dep7b3ee4a0e/web
- https://www.jamf.com/blog/how-malware-persists-on-macos/
Unlock Pro Content
Get the full detection package for T1037.005 including response playbook, investigation guide, and atomic red team tests.