T1547.015 Login Items Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LoginItemPaths = dynamic([
  "backgrounditems.btm",
  "com.apple.backgroundtaskmanagementagent",
  "com.apple.loginitems",
  "Library/Application Support/com.apple.backgroundtaskmanagementagent"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "System Events"
| where ProcessCommandLine has_any ("login item", "loginitem", "LoginItem")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "osascript" or ProcessCommandLine has "osascript"
| where ProcessCommandLine has_any ("login item", "System Events", "make login item")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc;
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (LoginItemPaths)
| where ActionType in ("FileCreated", "FileModified")
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| sort by Timestamp desc;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sfltool" or ProcessCommandLine has "sfltool"
| where ProcessCommandLine has_any ("add", "login")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution File: File Creation File: File Modification Microsoft Defender for Endpoint (macOS)

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate applications (Spotify, Slack, Docker Desktop, 1Password) adding themselves to Login Items when the user enables 'Open at Login' in the application menu or System Preferences
macOS system processes updating backgrounditems.btm during software installation or system updates
MDM-managed devices (Jamf, Mosyle, Kandji) deploying login items for corporate applications via configuration profiles
Developers testing AppleScript or Login Item APIs during application development

Splunk

spl

index=macos sourcetype=osquery:results
  (name="login_items" OR name="startup_items")
| eval item_path=coalesce('columns.path', 'columns.Path')
| eval item_name=coalesce('columns.name', 'columns.Name')
| eval item_type=coalesce('columns.type', 'columns.Type')
| table _time, host, item_name, item_path, item_type
| sort - _time
| append
  [search index=macos sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*login item*" OR CommandLine="*System Events*" OR CommandLine="*osascript*login*" OR CommandLine="*sfltool*")
  | table _time, host, User, Image, CommandLine, ParentImage
  | sort - _time]
| append
  [search index=macos sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    (TargetFilename="*backgrounditems.btm*" OR TargetFilename="*com.apple.loginitems*")
  | table _time, host, User, Image, TargetFilename
  | sort - _time]

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation osquery (login_items table) Sysmon for macOS

Required Sourcetypes

osquery:results XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate applications adding themselves to Login Items when users enable 'Open at Login'
macOS system updates modifying the backgrounditems.btm shared file list
MDM solutions (Jamf, Mosyle) deploying login items via configuration profiles
Developers testing Login Item APIs during application development

Elastic Security (EQL)

eql

any where host.os.type == "macos" and (
  (event.category == "process" and event.type == "start" and
   process.name == "osascript" and
   (process.command_line : "*login item*" or process.command_line : "*System Events*" or process.command_line : "*make login item*")) or
  (event.category == "process" and event.type == "start" and
   process.name == "System Events" and
   (process.command_line : "*login item*" or process.command_line : "*loginitem*" or process.command_line : "*LoginItem*")) or
  (event.category == "process" and event.type == "start" and
   process.name == "sfltool" and
   process.command_line : "*add*" and process.command_line : "*login*") or
  (event.category == "file" and
   event.action in ("creation", "modification") and
   (
     file.path : "*backgrounditems.btm*" or
     file.path : "*com.apple.backgroundtaskmanagementagent*" or
     file.path : "*com.apple.loginitems*" or
     file.path : "*/Library/Application Support/com.apple.backgroundtaskmanagementagent*"
   ))
)

high severity high confidence

Data Sources

Elastic Endpoint Security (macOS) Elastic Agent with macOS integration Auditbeat macOS

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-*

False Positives

Legitimate application installers (e.g., Dropbox, Zoom, Slack) that register themselves as login items using AppleScript or SMLoginItemSetEnabled during first launch or setup
macOS system utilities and preference management tools that programmatically modify login item configurations during OS updates or user profile migrations
IT management platforms (Jamf Pro, Mosyle, Kandji) running osascript or sfltool as part of device enrollment, configuration baselines, or software provisioning workflows
Developer tools and CI/CD agents (e.g., Xcode helper processes, build agents) that use System Events scripting for automation and test harness setup

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "Username",
  sourceip AS "Source IP",
  QIDNAME(qid) AS "Event Name",
  "ProcessName" AS "Process Name",
  "CommandLine" AS "Command Line",
  "ParentProcessName" AS "Parent Process",
  "FilePath" AS "File Path"
FROM events
WHERE
  starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    /* osascript login item via AppleScript / System Events */
    (
      ("ProcessName" ILIKE '%osascript%' OR "CommandLine" ILIKE '%osascript%')
      AND (
        "CommandLine" ILIKE '%login item%'
        OR "CommandLine" ILIKE '%System Events%'
        OR "CommandLine" ILIKE '%make login item%'
      )
    )
    /* System Events process with login item arguments */
    OR (
      "ProcessName" ILIKE '%System Events%'
      AND (
        "CommandLine" ILIKE '%login item%'
        OR "CommandLine" ILIKE '%loginitem%'
        OR "CommandLine" ILIKE '%LoginItem%'
      )
    )
    /* sfltool adding login items */
    OR (
      ("ProcessName" ILIKE '%sfltool%' OR "CommandLine" ILIKE '%sfltool%')
      AND "CommandLine" ILIKE '%add%'
      AND "CommandLine" ILIKE '%login%'
    )
    /* File creation/modification in login item paths */
    OR (
      "EventCategory" IN ('File Created', 'File Modified', 'File Written')
      AND (
        "FilePath" ILIKE '%backgrounditems.btm%'
        OR "FilePath" ILIKE '%com.apple.backgroundtaskmanagementagent%'
        OR "FilePath" ILIKE '%com.apple.loginitems%'
        OR "FilePath" ILIKE '%Application Support/com.apple.backgroundtaskmanagementagent%'
      )
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

macOS Endpoint Detection (CrowdStrike Falcon, Carbon Black, SentinelOne via QRadar DSM) Jamf Pro or similar MDM with process/file event forwarding QRadar macOS custom DSM with osquery or Elastic Agent

Required Tables

events

False Positives

Legitimate software installers and application first-run setups that use AppleScript or osascript to register login items, including commercial productivity software (Dropbox, OneDrive, Zoom)
IT management and MDM platform agents (Jamf, Mosyle) that programmatically configure login items as part of policy enforcement or software deployment workflows
macOS system processes and OS updates that legitimately modify the backgrounditems.btm database or com.apple.loginitems plist as part of system configuration
Security tools that use sfltool for audit or inventory purposes during compliance scanning

Sumo Logic CSE

sql

(_sourceCategory="macos*" OR _sourceCategory="endpoint/macos*" OR _sourceCategory="osquery*")
| where (
    /* osascript with login item or System Events */
    (%raw matches /osascript/ and (%raw matches /login.item/i or %raw matches /System.Events/i or %raw matches /make.login.item/i))
    /* System Events process handling login items */
    or (%raw matches /System Events/ and (%raw matches /loginitem/i or %raw matches /login item/i or %raw matches /LoginItem/))
    /* sfltool adding login items */
    or (%raw matches /sfltool/ and %raw matches /add/ and %raw matches /login/i)
    /* File creation in login item DB or plist paths */
    or (%raw matches /backgrounditems\.btm/ or %raw matches /com\.apple\.backgroundtaskmanagementagent/ or %raw matches /com\.apple\.loginitems/)
  )
| parse regex field=_raw "(?<process_name>[\w\-\.]+)\[(?<pid>\d+)\]" nodrop
| parse regex field=_raw "(?i)user[=:\s]+(?<username>[\w\-\.@]+)" nodrop
| parse regex field=_raw "(?i)host[=:\s]+(?<hostname>[\w\-\.]+)" nodrop
| parse regex field=_raw "(?i)(?:cmdline|CommandLine|command)[=:\s]+(?<command_line>.+?)(?:\||$|\n)" nodrop
| parse regex field=_raw "(?i)(?:path|filepath|FilePath)[=:\s]+(?<file_path>[^\s|]+)" nodrop
| fields _messagetime, hostname, username, process_name, pid, command_line, file_path
| sort by _messagetime desc

high severity medium confidence

Data Sources

osquery results (login_items, startup_items tables) macOS Unified Logging System forwarded via Sumo Logic collector CrowdStrike Falcon or SentinelOne macOS agent logs via Sumo Logic HTTP Source Jamf Pro event logs via Sumo Logic

Required Tables

Sumo Logic partition containing macOS endpoint or osquery logs

False Positives

Commercial software installers (e.g., Adobe Creative Cloud, Microsoft Office, Zoom) that legitimately create login items via AppleScript or SMLoginItemSetEnabled during installation or first launch
Enterprise MDM solutions (Jamf, Kandji, Mosyle) that script login item configuration via osascript or sfltool as part of baseline enforcement policies
macOS system software and OS upgrade processes that rewrite backgrounditems.btm or com.apple.loginitems plists as part of migration or update routines
Developer and DevOps tooling (rbenv, nvm launchers, build agents) that add themselves to login items for persistent daemon functionality

Google Chronicle / SecOps

yaral

rule t1547_015_macos_login_items_persistence {
  meta:
    author = "df00tech"
    description = "Detects macOS Login Items persistence (T1547.015) via AppleScript/osascript System Events manipulation, sfltool login item additions, or file writes to Background Task Manager and Login Items paths"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1547.015"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1547/015/"
    platform = "macOS"
    created = "2026-04-20"

  events:
    (
      /* osascript or sfltool login item manipulation */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and $e.target.process.file.full_path = /\/usr\/bin\/(osascript|sfltool)/
        and (
          $e.target.process.command_line = /(?i)(login.?item|make.login.item|System.Events)/
          or ($e.target.process.command_line = /sfltool/ and $e.target.process.command_line = /(?i)(add|login)/)
        )
      )
      or
      /* System Events application handling login item requests */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and $e.target.process.file.full_path = /System Events/
        and $e.target.process.command_line = /(?i)(login.?item|loginitem|LoginItem)/
      )
      or
      /* File creation/modification in login item paths */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and (
          $e.target.file.full_path = /backgrounditems\.btm/
          or $e.target.file.full_path = /com\.apple\.backgroundtaskmanagementagent/
          or $e.target.file.full_path = /com\.apple\.loginitems/
          or $e.target.file.full_path = /Library\/Application Support\/com\.apple\.backgroundtaskmanagementagent/
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM events from macOS Endpoint Detection Response (EDR) integration CrowdStrike Falcon Chronicle integration (macOS process and file events) Google Security Operations macOS fleet telemetry Jamf Pro event forwarding via Chronicle ingestion API

Required Tables

UDM events with event_type PROCESS_LAUNCH and FILE_CREATION from macOS hosts

False Positives

Legitimate macOS application installers and setup wizards that use AppleScript/osascript to register login items as part of standard installation procedures (e.g., cloud sync clients, communication apps)
IT and MDM management agents that programmatically configure login items during device enrollment, compliance baseline enforcement, or software deployment
macOS operating system update processes and Migration Assistant that rewrite login item databases during OS migrations or profile transfers
Developer automation tools and continuous integration agents that add themselves to login items for persistent execution between user sessions

CrowdStrike LogScale (CQL)

cql

// T1547.015 - macOS Login Items Persistence
// Detection 1: osascript/System Events login item creation or sfltool manipulation
#event_simpleName = "ProcessRollup2"
| OperatingSystemVersion = /[Mm]ac/
| (
    (FileName = /osascript/ and CommandLine = /(?i)(login.?item|make.login.item|System.Events)/)
    or (FileName = /sfltool/ and CommandLine = /(?i)add/ and CommandLine = /(?i)login/)
    or (CommandLine = /(?i)System.Events/ and CommandLine = /(?i)(login.?item|loginitem|LoginItem)/)
  )
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, SHA256HashData])
| sort(field=timestamp, order=desc)

// Detection 2: File write to Login Items / Background Task Manager paths
| union [
  #event_simpleName in ("PeFileWritten", "UnmanagedAssetWritten", "ScriptControlScanTelemetry")
  | OperatingSystemVersion = /[Mm]ac/
  | TargetFileName = /(?i)(backgrounditems\.btm|com\.apple\.backgroundtaskmanagementagent|com\.apple\.loginitems)/
  | table([timestamp, ComputerName, UserName, TargetFileName, FileName, CommandLine, SHA256HashData])
  | sort(field=timestamp, order=desc)
]

high severity high confidence

Data Sources

CrowdStrike Falcon macOS sensor (ProcessRollup2 events) CrowdStrike Falcon macOS sensor (file write events: PeFileWritten, UnmanagedAssetWritten) CrowdStrike Falcon Prevent or Discover with macOS endpoint coverage

Required Tables

ProcessRollup2 PeFileWritten UnmanagedAssetWritten ScriptControlScanTelemetry

False Positives

Commercial software products with legitimate background service requirements (Dropbox, Google Drive, Zoom, Microsoft Teams) that register login items via AppleScript or sfltool during installation or first-run configuration
CrowdStrike Falcon sensor itself and other endpoint security products that may create or modify login items for persistence of their own protection components
Enterprise IT management workflows using MDM scripting (Jamf Pro scripts, shell scripts calling osascript) to configure user login items as part of standard device provisioning
macOS OS update and configuration migration processes that rewrite Background Task Manager state files as part of system upgrades or profile transfers

Login Items

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections