T1547.015 Elastic Security · Elastic

Detect Login Items in Elastic Security

Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them. Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.015 Login Items
Canonical reference
https://attack.mitre.org/techniques/T1547/015/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where host.os.type == "macos" and (
  (event.category == "process" and event.type == "start" and
   process.name == "osascript" and
   (process.command_line : "*login item*" or process.command_line : "*System Events*" or process.command_line : "*make login item*")) or
  (event.category == "process" and event.type == "start" and
   process.name == "System Events" and
   (process.command_line : "*login item*" or process.command_line : "*loginitem*" or process.command_line : "*LoginItem*")) or
  (event.category == "process" and event.type == "start" and
   process.name == "sfltool" and
   process.command_line : "*add*" and process.command_line : "*login*") or
  (event.category == "file" and
   event.action in ("creation", "modification") and
   (
     file.path : "*backgrounditems.btm*" or
     file.path : "*com.apple.backgroundtaskmanagementagent*" or
     file.path : "*com.apple.loginitems*" or
     file.path : "*/Library/Application Support/com.apple.backgroundtaskmanagementagent*"
   ))
)
high severity high confidence

Detects macOS Login Items persistence (T1547.015) via AppleScript/osascript calls to System Events, sfltool login item manipulation, or direct file creation/modification in Background Task Management and Login Items paths. Covers both shared file list and Service Management Framework persistence vectors.

Data Sources

Elastic Endpoint Security (macOS)Elastic Agent with macOS integrationAuditbeat macOS

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*

False Positives & Tuning

  • Legitimate application installers (e.g., Dropbox, Zoom, Slack) that register themselves as login items using AppleScript or SMLoginItemSetEnabled during first launch or setup
  • macOS system utilities and preference management tools that programmatically modify login item configurations during OS updates or user profile migrations
  • IT management platforms (Jamf Pro, Mosyle, Kandji) running osascript or sfltool as part of device enrollment, configuration baselines, or software provisioning workflows
  • Developer tools and CI/CD agents (e.g., Xcode helper processes, build agents) that use System Events scripting for automation and test harness setup
Download portable Sigma rule (.yml)

Other platforms for T1547.015

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Login Item via AppleScript (Shared File List)

    Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. File modification event on ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm. Unified Log entry in com.apple.backgroundtaskmanagement subsystem.

  2. Test 2Add Hidden Login Item via AppleScript

    Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'hidden:true'. File modification of backgrounditems.btm. Unified Log entry showing the hidden login item creation.

  3. Test 3Enumerate Login Items via AppleScript (Reconnaissance)

    Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. No file modification events (read-only operation).

  4. Test 4Login Item via sfltool (Shared File List Tool)

    Expected signal: Sysmon for macOS Event ID 1: Process Create for sfltool with CommandLine containing 'add-item' and the shared file list name. File modification of backgrounditems.btm. Unified Log entries for shared file list modifications.

Last updated: 2026-04-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1547.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.005Security Support ProviderT1547.006Kernel Modules and ExtensionsT1547.007Re-opened ApplicationsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.012Print ProcessorsT1547.013XDG Autostart EntriesT1547.014Active Setup

Related Techniques

T1547Boot or Logon Autostart ExecutionT1543.001Launch AgentT1543.004Launch DaemonT1059.002AppleScriptT1106Native APIT1036MasqueradingT1553.001Gatekeeper Bypass

Same Tactic: Persistence

Popular Detections