| ID | Name |
|---|---|
| T1037.001 | Logon Script (Windows) |
| T1037.002 | Login Hook |
| T1037.003 | Network Logon Script |
| T1037.004 | RC Scripts |
| T1037.005 | Startup Items |
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.[1]
This is technically a deprecated technology (superseded by Launch Daemon), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory.
An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.[2] Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.
| ID | Mitigation | Description |
|---|---|---|
| M1022 | Restrict File and Directory Permissions |
Since StartupItems are deprecated, preventing all users from writing to the |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0429 | Detect Modification of macOS Startup Items | AN1197 |
Detects the modification or addition of Launch Agents or Startup Items to establish persistence. Adversaries may write plist or executable files to ~/Library/LaunchAgents/, /Library/StartupItems/, or similar directories and configure them to run at user or system boot. Detection requires correlating file creation or modification events with subsequent user logon or boot-time process execution. |