Description
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)
This is technically a deprecated technology (superseded by Launch Daemon), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory.
An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.
Platforms
Mitigations (1)
Restrict File and Directory PermissionsM1022
Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) can list and manage startup entries.(Citation: Kaspersky Adwind Feb 2016) |
References
- Apple. (2016, September 13). Startup Items. Retrieved July 11, 2017.
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
Frequently Asked Questions
What is T1037.005 (Startup Items)?
T1037.005 is a MITRE ATT&CK technique named 'Startup Items'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or...
How can T1037.005 be detected?
Detection of T1037.005 (Startup Items) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1037.005?
There are 1 documented mitigations for T1037.005. Key mitigations include: Restrict File and Directory Permissions.
Which threat groups use T1037.005?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.