DET0429 Detect Modification of macOS Startup Items

Item	Value
ID	DET0429
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1037.005 (Startup Items)

Analytics

macOS

AN1197

Detects the modification or addition of Launch Agents or Startup Items to establish persistence. Adversaries may write plist or executable files to ~/Library/LaunchAgents/, /Library/StartupItems/, or similar directories and configure them to run at user or system boot. Detection requires correlating file creation or modification events with subsequent user logon or boot-time process execution.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	macos:unifiedlog	launchservices or loginwindow events
File Creation (DC0039)	macos:fsevents	/Library/StartupItems/, ~/Library/LaunchAgents/

Mutable Elements

Field	Description
directory_path	Specific paths to monitor may differ across macOS versions or enterprise baselines.
user_context	Different users may have unique LaunchAgents folders—tuning may be required.
time_window	The correlation time between file creation and process execution may need to be adjusted for boot persistence.
process_name	Specific startup binaries (e.g., bash, osascript) may vary across implementations.