Detect Login Items in CrowdStrike LogScale
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them. Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.015 Login Items
- Canonical reference
- https://attack.mitre.org/techniques/T1547/015/
LogScale Detection Query
// T1547.015 - macOS Login Items Persistence
// Detection 1: osascript/System Events login item creation or sfltool manipulation
#event_simpleName = "ProcessRollup2"
| OperatingSystemVersion = /[Mm]ac/
| (
(FileName = /osascript/ and CommandLine = /(?i)(login.?item|make.login.item|System.Events)/)
or (FileName = /sfltool/ and CommandLine = /(?i)add/ and CommandLine = /(?i)login/)
or (CommandLine = /(?i)System.Events/ and CommandLine = /(?i)(login.?item|loginitem|LoginItem)/)
)
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, SHA256HashData])
| sort(field=timestamp, order=desc)
// Detection 2: File write to Login Items / Background Task Manager paths
| union [
#event_simpleName in ("PeFileWritten", "UnmanagedAssetWritten", "ScriptControlScanTelemetry")
| OperatingSystemVersion = /[Mm]ac/
| TargetFileName = /(?i)(backgrounditems\.btm|com\.apple\.backgroundtaskmanagementagent|com\.apple\.loginitems)/
| table([timestamp, ComputerName, UserName, TargetFileName, FileName, CommandLine, SHA256HashData])
| sort(field=timestamp, order=desc)
]Detects macOS Login Items persistence (T1547.015) in CrowdStrike Falcon telemetry. Uses ProcessRollup2 events to identify osascript invoking System Events for login item creation, sfltool direct login item additions, and file write events (PeFileWritten, UnmanagedAssetWritten) targeting the Background Task Manager database (backgrounditems.btm) or com.apple.loginitems plist paths. Results are unified across process and file event types.
Data Sources
Required Tables
False Positives & Tuning
- Commercial software products with legitimate background service requirements (Dropbox, Google Drive, Zoom, Microsoft Teams) that register login items via AppleScript or sfltool during installation or first-run configuration
- CrowdStrike Falcon sensor itself and other endpoint security products that may create or modify login items for persistence of their own protection components
- Enterprise IT management workflows using MDM scripting (Jamf Pro scripts, shell scripts calling osascript) to configure user login items as part of standard device provisioning
- macOS OS update and configuration migration processes that rewrite Background Task Manager state files as part of system upgrades or profile transfers
Other platforms for T1547.015
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Login Item via AppleScript (Shared File List)
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. File modification event on ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm. Unified Log entry in com.apple.backgroundtaskmanagement subsystem.
- Test 2Add Hidden Login Item via AppleScript
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'hidden:true'. File modification of backgrounditems.btm. Unified Log entry showing the hidden login item creation.
- Test 3Enumerate Login Items via AppleScript (Reconnaissance)
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. No file modification events (read-only operation).
- Test 4Login Item via sfltool (Shared File List Tool)
Expected signal: Sysmon for macOS Event ID 1: Process Create for sfltool with CommandLine containing 'add-item' and the shared file list name. File modification of backgrounditems.btm. Unified Log entries for shared file list modifications.
References (9)
- https://attack.mitre.org/techniques/T1547/015/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html
- https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac
- https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/
- https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/
- https://objective-see.com/blog/blog_0x31.html
- https://objective-see.com/blog/blog_0x44.html
- https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md
Unlock Pro Content
Get the full detection package for T1547.015 including response playbook, investigation guide, and atomic red team tests.