The sub-techniques beta is now live! Read the release blog post for more info.

Startup Items

Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items [1]. This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory.

An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism [2]. Additionally, since StartupItems run during the bootup phase of macOS, they will run as root. If an adversary is able to modify an existing Startup Item, then they will be able to Privilege Escalate as well.

ID: T1165
Tactic: Persistence, Privilege Escalation
Platform: macOS
Permissions Required: Administrator
Effective Permissions: root
Data Sources: File monitoring, Process monitoring
Version: 1.0
Created: 14 December 2017
Last Modified: 18 July 2019

Procedure Examples

Name Description

jRAT can list and manage startup entries.[3]


Mitigation Description
Restrict File and Directory Permissions

Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered.

User Account Management

Appropriate permissions should be applied such that only specific users can edit the startup items so that they can be leveraged for privilege escalation.


The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist. Monitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.