T1547.015 Login Items
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.1 Login items can be added via a shared file list or Service Management Framework.2 Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled
.
Login items installed using the Service Management Framework leverage launchd
, are not visible in the System Preferences, and can only be removed by the application that created them.23 Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.4 Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.
Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.5 Prior to version 10.5 on macOS, adversaries can add login items by using AppleScript to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.6 Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable
.789 This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm
.7 Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.101112
Item | Value |
---|---|
ID | T1547.015 |
Sub-techniques | T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015 |
Tactics | TA0003, TA0004 |
Platforms | macOS |
Permissions required | User |
Version | 1.0 |
Created | 05 October 2021 |
Last Modified | 18 October 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0281 | Dok | Dok uses AppleScript to install a login Item by sending Apple events to the System Events process.8 |
S0690 | Green Lambert | Green Lambert can add Login Items to establish persistence.1718 |
S0198 | NETWIRE | NETWIRE can persist via startup options for Login items.16 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Creation |
DS0009 | Process | Process Creation |
References
-
Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021. ↩
-
Apple. (2016, September 13). Adding Login Items. Retrieved July 11, 2017. ↩↩
-
Tim Schroeder. (2013, April 21). SMLoginItemSetEnabled Demystified. Retrieved October 5, 2021. ↩
-
Apple. (n.d.). Launch Services. Retrieved October 5, 2021. ↩
-
hoakley. (2018, May 22). Running at startup: when to use a Login Item or a LaunchAgent/LaunchDaemon. Retrieved October 5, 2021. ↩
-
hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021. ↩↩
-
fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021. ↩↩
-
kaloprominat. (2013, July 30). macos: manage add list remove login items apple script. Retrieved October 5, 2021. ↩
-
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. ↩
-
Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021. ↩
-
Patrick Wardle. (2019, June 20). Burned by Fire(fox). Retrieved October 1, 2021. ↩
-
Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021. ↩
-
Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019. ↩
-
Apple. (2018, June 4). Launch Services Keys. Retrieved October 5, 2021. ↩
-
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. ↩
-
Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. ↩
-
Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. ↩