Skip to content

T1037.005 Startup Items

Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.1

This is technically a deprecated technology (superseded by Launch Daemon), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory.

An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.2 Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.

Item Value
ID T1037.005
Sub-techniques T1037.001, T1037.002, T1037.003, T1037.004, T1037.005
Tactics TA0003, TA0004
Platforms macOS
Permissions required Administrator
Version 1.0
Created 15 January 2020
Last Modified 20 April 2022

Procedure Examples

ID Name Description
S0283 jRAT jRAT can list and manage startup entries.3

Mitigations

ID Mitigation Description
M1022 Restrict File and Directory Permissions Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
DS0009 Process Process Creation

References

  1. Apple. (2016, September 13). Startup Items. Retrieved July 11, 2017. 

  2. Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. 

  3. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.