Detect Login Items in Sumo Logic CSE
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them. Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.015 Login Items
- Canonical reference
- https://attack.mitre.org/techniques/T1547/015/
Sumo Detection Query
(_sourceCategory="macos*" OR _sourceCategory="endpoint/macos*" OR _sourceCategory="osquery*")
| where (
/* osascript with login item or System Events */
(%raw matches /osascript/ and (%raw matches /login.item/i or %raw matches /System.Events/i or %raw matches /make.login.item/i))
/* System Events process handling login items */
or (%raw matches /System Events/ and (%raw matches /loginitem/i or %raw matches /login item/i or %raw matches /LoginItem/))
/* sfltool adding login items */
or (%raw matches /sfltool/ and %raw matches /add/ and %raw matches /login/i)
/* File creation in login item DB or plist paths */
or (%raw matches /backgrounditems\.btm/ or %raw matches /com\.apple\.backgroundtaskmanagementagent/ or %raw matches /com\.apple\.loginitems/)
)
| parse regex field=_raw "(?<process_name>[\w\-\.]+)\[(?<pid>\d+)\]" nodrop
| parse regex field=_raw "(?i)user[=:\s]+(?<username>[\w\-\.@]+)" nodrop
| parse regex field=_raw "(?i)host[=:\s]+(?<hostname>[\w\-\.]+)" nodrop
| parse regex field=_raw "(?i)(?:cmdline|CommandLine|command)[=:\s]+(?<command_line>.+?)(?:\||$|\n)" nodrop
| parse regex field=_raw "(?i)(?:path|filepath|FilePath)[=:\s]+(?<file_path>[^\s|]+)" nodrop
| fields _messagetime, hostname, username, process_name, pid, command_line, file_path
| sort by _messagetime descDetects macOS Login Items persistence (T1547.015) across multiple data sources including osquery login_items results, macOS endpoint process telemetry, and file event logs. Identifies AppleScript/osascript login item creation via System Events, sfltool-based manipulation, and direct writes to the Background Task Manager database or Login Items plist files.
Data Sources
Required Tables
False Positives & Tuning
- Commercial software installers (e.g., Adobe Creative Cloud, Microsoft Office, Zoom) that legitimately create login items via AppleScript or SMLoginItemSetEnabled during installation or first launch
- Enterprise MDM solutions (Jamf, Kandji, Mosyle) that script login item configuration via osascript or sfltool as part of baseline enforcement policies
- macOS system software and OS upgrade processes that rewrite backgrounditems.btm or com.apple.loginitems plists as part of migration or update routines
- Developer and DevOps tooling (rbenv, nvm launchers, build agents) that add themselves to login items for persistent daemon functionality
Other platforms for T1547.015
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Login Item via AppleScript (Shared File List)
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. File modification event on ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm. Unified Log entry in com.apple.backgroundtaskmanagement subsystem.
- Test 2Add Hidden Login Item via AppleScript
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'hidden:true'. File modification of backgrounditems.btm. Unified Log entry showing the hidden login item creation.
- Test 3Enumerate Login Items via AppleScript (Reconnaissance)
Expected signal: Sysmon for macOS Event ID 1: Process Create for osascript with CommandLine containing 'login item' and 'System Events'. No file modification events (read-only operation).
- Test 4Login Item via sfltool (Shared File List Tool)
Expected signal: Sysmon for macOS Event ID 1: Process Create for sfltool with CommandLine containing 'add-item' and the shared file list name. File modification of backgrounditems.btm. Unified Log entries for shared file list modifications.
References (9)
- https://attack.mitre.org/techniques/T1547/015/
- https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html
- https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac
- https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/
- https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/
- https://objective-see.com/blog/blog_0x31.html
- https://objective-see.com/blog/blog_0x44.html
- https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md
Unlock Pro Content
Get the full detection package for T1547.015 including response playbook, investigation guide, and atomic red team tests.