Detect Login Items in Google Chronicle
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them. Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.015 Login Items
- Canonical reference
- https://attack.mitre.org/techniques/T1547/015/
YARA-L Detection Query
rule t1547_015_macos_login_items_persistence {
meta:
author = "df00tech"
description = "Detects macOS Login Items persistence (T1547.015) via AppleScript/osascript System Events manipulation, sfltool login item additions, or file writes to Background Task Manager and Login Items paths"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1547.015"
mitre_attack_url = "https://attack.mitre.org/techniques/T1547/015/"
platform = "macOS"
created = "2026-04-20"
events:
(
/* osascript or sfltool login item manipulation */
(
$e.metadata.event_type = "PROCESS_LAUNCH"
and $e.target.process.file.full_path = /\/usr\/bin\/(osascript|sfltool)/
and (
$e.target.process.command_line = /(?i)(login.?item|make.login.item|System.Events)/
or ($e.target.process.command_line = /sfltool/ and $e.target.process.command_line = /(?i)(add|login)/)
)
)
or
/* System Events application handling login item requests */
(
$e.metadata.event_type = "PROCESS_LAUNCH"
and $e.target.process.file.full_path = /System Events/
and $e.target.process.command_line = /(?i)(login.?item|loginitem|LoginItem)/
)
or
/* File creation/modification in login item paths */
(
$e.metadata.event_type = "FILE_CREATION"
and (
$e.target.file.full_path = /backgrounditems\.btm/
or $e.target.file.full_path = /com\.apple\.backgroundtaskmanagementagent/
or $e.target.file.full_path = /com\.apple\.loginitems/
or $e.target.file.full_path = /Library\/Application Support\/com\.apple\.backgroundtaskmanagementagent/
)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting macOS Login Items persistence (T1547.015). Covers three attack vectors: (1) osascript invoking System Events to create login items via AppleScript, (2) sfltool used to directly add login items to the shared file list, and (3) file creation events targeting the Background Task Manager database (backgrounditems.btm) or Login Items plist files. All vectors map to the same MITRE persistence sub-technique.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate macOS application installers and setup wizards that use AppleScript/osascript to register login items as part of standard installation procedures (e.g., cloud sync clients, communication apps)
- IT and MDM management agents that programmatically configure login items during device enrollment, compliance baseline enforcement, or software deployment
- macOS operating system update processes and Migration Assistant that rewrite login item databases during OS migrations or profile transfers
- Developer automation tools and continuous integration agents that add themselves to login items for persistent execution between user sessions
Other platforms for T1547.015
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Login Item via AppleScript (Shared File List)
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. File modification event on ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm. Unified Log entry in com.apple.backgroundtaskmanagement subsystem.
- Test 2Add Hidden Login Item via AppleScript
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'hidden:true'. File modification of backgrounditems.btm. Unified Log entry showing the hidden login item creation.
- Test 3Enumerate Login Items via AppleScript (Reconnaissance)
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. No file modification events (read-only operation).
- Test 4Login Item via sfltool (Shared File List Tool)
Expected signal: Sysmon for macOS Event ID 1: Process Create for sfltool with CommandLine containing 'add-item' and the shared file list name. File modification of backgrounditems.btm. Unified Log entries for shared file list modifications.
References (9)
- https://attack.mitre.org/techniques/T1547/015/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html
- https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac
- https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/
- https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/
- https://objective-see.com/blog/blog_0x31.html
- https://objective-see.com/blog/blog_0x44.html
- https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md
Unlock Pro Content
Get the full detection package for T1547.015 including response playbook, investigation guide, and atomic red team tests.