title: Login Items (T1547.015)
id: df00tech-t1547-015
status: experimental
description: "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them. Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables."
references:
  - https://attack.mitre.org/techniques/T1547/015/
  - https://df00tech.com/detections/T1547.015
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547.015
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate applications (Spotify, Slack, Docker Desktop, 1Password) adding themselves to Login Items when the user enables 'Open at Login' in the application menu or System Preferences"
  - macOS system processes updating backgrounditems.btm during software installation or system updates
  - "MDM-managed devices (Jamf, Mosyle, Kandji) deploying login items for corporate applications via configuration profiles"
  - Developers testing AppleScript or Login Item APIs during application development
level: high