Detect Login Items in IBM QRadar
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them. Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.015 Login Items
- Canonical reference
- https://attack.mitre.org/techniques/T1547/015/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS "Event Time",
LOGSOURCENAME(logsourceid) AS "Log Source",
username AS "Username",
sourceip AS "Source IP",
QIDNAME(qid) AS "Event Name",
"ProcessName" AS "Process Name",
"CommandLine" AS "Command Line",
"ParentProcessName" AS "Parent Process",
"FilePath" AS "File Path"
FROM events
WHERE
starttime > (CURRENT_TIMESTAMP - 86400000)
AND (
/* osascript login item via AppleScript / System Events */
(
("ProcessName" ILIKE '%osascript%' OR "CommandLine" ILIKE '%osascript%')
AND (
"CommandLine" ILIKE '%login item%'
OR "CommandLine" ILIKE '%System Events%'
OR "CommandLine" ILIKE '%make login item%'
)
)
/* System Events process with login item arguments */
OR (
"ProcessName" ILIKE '%System Events%'
AND (
"CommandLine" ILIKE '%login item%'
OR "CommandLine" ILIKE '%loginitem%'
OR "CommandLine" ILIKE '%LoginItem%'
)
)
/* sfltool adding login items */
OR (
("ProcessName" ILIKE '%sfltool%' OR "CommandLine" ILIKE '%sfltool%')
AND "CommandLine" ILIKE '%add%'
AND "CommandLine" ILIKE '%login%'
)
/* File creation/modification in login item paths */
OR (
"EventCategory" IN ('File Created', 'File Modified', 'File Written')
AND (
"FilePath" ILIKE '%backgrounditems.btm%'
OR "FilePath" ILIKE '%com.apple.backgroundtaskmanagementagent%'
OR "FilePath" ILIKE '%com.apple.loginitems%'
OR "FilePath" ILIKE '%Application Support/com.apple.backgroundtaskmanagementagent%'
)
)
)
ORDER BY starttime DESCDetects macOS Login Items persistence (T1547.015) by querying for osascript/System Events AppleScript login item manipulation, sfltool login item additions, and file writes to Background Task Manager and Login Items plist paths. Queries both process execution and file activity event types from macOS endpoint log sources.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers and application first-run setups that use AppleScript or osascript to register login items, including commercial productivity software (Dropbox, OneDrive, Zoom)
- IT management and MDM platform agents (Jamf, Mosyle) that programmatically configure login items as part of policy enforcement or software deployment workflows
- macOS system processes and OS updates that legitimately modify the backgrounditems.btm database or com.apple.loginitems plist as part of system configuration
- Security tools that use sfltool for audit or inventory purposes during compliance scanning
Other platforms for T1547.015
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Login Item via AppleScript (Shared File List)
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. File modification event on ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm. Unified Log entry in com.apple.backgroundtaskmanagement subsystem.
- Test 2Add Hidden Login Item via AppleScript
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'hidden:true'. File modification of backgrounditems.btm. Unified Log entry showing the hidden login item creation.
- Test 3Enumerate Login Items via AppleScript (Reconnaissance)
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. No file modification events (read-only operation).
- Test 4Login Item via sfltool (Shared File List Tool)
Expected signal: Sysmon for macOS Event ID 1: Process Create for sfltool with CommandLine containing 'add-item' and the shared file list name. File modification of backgrounditems.btm. Unified Log entries for shared file list modifications.
References (9)
- https://attack.mitre.org/techniques/T1547/015/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html
- https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac
- https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/
- https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/
- https://objective-see.com/blog/blog_0x31.html
- https://objective-see.com/blog/blog_0x44.html
- https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md
Unlock Pro Content
Get the full detection package for T1547.015 including response playbook, investigation guide, and atomic red team tests.