T1547.015 Splunk · SPL

Detect Login Items in Splunk

Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them. Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.015 Login Items
Canonical reference
https://attack.mitre.org/techniques/T1547/015/

SPL Detection Query

Splunk (SPL)
spl 
index=macos sourcetype=osquery:results
  (name="login_items" OR name="startup_items")
| eval item_path=coalesce('columns.path', 'columns.Path')
| eval item_name=coalesce('columns.name', 'columns.Name')
| eval item_type=coalesce('columns.type', 'columns.Type')
| table _time, host, item_name, item_path, item_type
| sort - _time
| append
  [search index=macos sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*login item*" OR CommandLine="*System Events*" OR CommandLine="*osascript*login*" OR CommandLine="*sfltool*")
  | table _time, host, User, Image, CommandLine, ParentImage
  | sort - _time]
| append
  [search index=macos sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    (TargetFilename="*backgrounditems.btm*" OR TargetFilename="*com.apple.loginitems*")
  | table _time, host, User, Image, TargetFilename
  | sort - _time]
high severity medium confidence

Detects macOS Login Items persistence using multiple data sources: (1) osquery login_items table for real-time inventory of all registered login items, (2) Sysmon for macOS Event ID 1 for process creation events involving osascript, System Events, or sfltool login item manipulation, and (3) Sysmon Event ID 11 for file creation events on the backgrounditems.btm file. The osquery source provides a comprehensive snapshot while Sysmon captures the modification in real-time.

Data Sources

Process: Process CreationFile: File Creationosquery (login_items table)Sysmon for macOS

Required Sourcetypes

osquery:resultsXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate applications adding themselves to Login Items when users enable 'Open at Login'
  • macOS system updates modifying the backgrounditems.btm shared file list
  • MDM solutions (Jamf, Mosyle) deploying login items via configuration profiles
  • Developers testing Login Item APIs during application development
Download portable Sigma rule (.yml)

Other platforms for T1547.015

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Login Item via AppleScript (Shared File List)

    Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. File modification event on ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm. Unified Log entry in com.apple.backgroundtaskmanagement subsystem.

  2. Test 2Add Hidden Login Item via AppleScript

    Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'hidden:true'. File modification of backgrounditems.btm. Unified Log entry showing the hidden login item creation.

  3. Test 3Enumerate Login Items via AppleScript (Reconnaissance)

    Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. No file modification events (read-only operation).

  4. Test 4Login Item via sfltool (Shared File List Tool)

    Expected signal: Sysmon for macOS Event ID 1: Process Create for sfltool with CommandLine containing 'add-item' and the shared file list name. File modification of backgrounditems.btm. Unified Log entries for shared file list modifications.

Last updated: 2026-04-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1547.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.005Security Support ProviderT1547.006Kernel Modules and ExtensionsT1547.007Re-opened ApplicationsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.012Print ProcessorsT1547.013XDG Autostart EntriesT1547.014Active Setup

Related Techniques

T1547Boot or Logon Autostart ExecutionT1543.001Launch AgentT1543.004Launch DaemonT1059.002AppleScriptT1106Native APIT1036MasqueradingT1553.001Gatekeeper Bypass

Same Tactic: Persistence

Popular Detections