title: Startup Items (T1037.005)
id: df00tech-t1037-005
status: experimental
description: "Adversaries may use startup items automatically executed at boot initialization to establish persistence on macOS systems. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information (StartupParameters.plist) used by the system to determine execution order. Although technically deprecated in favor of Launch Daemons, the /Library/StartupItems directory may still exist on systems. An adversary can create the appropriate folders and files in the StartupItems directory to register their own persistence mechanism that executes as root during system boot."
references:
  - https://attack.mitre.org/techniques/T1037/005/
  - https://df00tech.com/detections/T1037.005
author: df00tech
date: 2026/04/16
tags:
  - attack.t1037.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate third-party macOS software installers that still use the deprecated StartupItems mechanism for compatibility with older macOS versions
  - System administrators or IT teams manually creating startup items for legacy application compatibility
  - macOS system updates or migration tools that read or restore /Library/StartupItems content from backups
  - Security or monitoring software that scans /Library/StartupItems as part of system inventory or compliance checks
level: high