Detect Login Items in Microsoft Sentinel
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them. Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.015 Login Items
- Canonical reference
- https://attack.mitre.org/techniques/T1547/015/
KQL Detection Query
let LoginItemPaths = dynamic([
"backgrounditems.btm",
"com.apple.backgroundtaskmanagementagent",
"com.apple.loginitems",
"Library/Application Support/com.apple.backgroundtaskmanagementagent"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "System Events"
| where ProcessCommandLine has_any ("login item", "loginitem", "LoginItem")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "osascript" or ProcessCommandLine has "osascript"
| where ProcessCommandLine has_any ("login item", "System Events", "make login item")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc;
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (LoginItemPaths)
| where ActionType in ("FileCreated", "FileModified")
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| sort by Timestamp desc;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sfltool" or ProcessCommandLine has "sfltool"
| where ProcessCommandLine has_any ("add", "login")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp descDetects macOS Login Items persistence via four signals: (1) AppleScript commands targeting 'System Events' to add login items, (2) osascript execution with login item manipulation commands, (3) file modifications to the backgrounditems.btm shared file list that stores login item entries, and (4) sfltool usage for adding shared file list login items. Uses DeviceProcessEvents and DeviceFileEvents from MDE for macOS.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate applications (Spotify, Slack, Docker Desktop, 1Password) adding themselves to Login Items when the user enables 'Open at Login' in the application menu or System Preferences
- macOS system processes updating backgrounditems.btm during software installation or system updates
- MDM-managed devices (Jamf, Mosyle, Kandji) deploying login items for corporate applications via configuration profiles
- Developers testing AppleScript or Login Item APIs during application development
Other platforms for T1547.015
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Login Item via AppleScript (Shared File List)
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. File modification event on ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm. Unified Log entry in com.apple.backgroundtaskmanagement subsystem.
- Test 2Add Hidden Login Item via AppleScript
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'hidden:true'. File modification of backgrounditems.btm. Unified Log entry showing the hidden login item creation.
- Test 3Enumerate Login Items via AppleScript (Reconnaissance)
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. No file modification events (read-only operation).
- Test 4Login Item via sfltool (Shared File List Tool)
Expected signal: Sysmon for macOS Event ID 1: Process Create for sfltool with CommandLine containing 'add-item' and the shared file list name. File modification of backgrounditems.btm. Unified Log entries for shared file list modifications.
References (9)
- https://attack.mitre.org/techniques/T1547/015/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html
- https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac
- https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/
- https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/
- https://objective-see.com/blog/blog_0x31.html
- https://objective-see.com/blog/blog_0x44.html
- https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md
Unlock Pro Content
Get the full detection package for T1547.015 including response playbook, investigation guide, and atomic red team tests.