Description
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.
Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.
Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using AppleScript to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)
Platforms
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0690 | Green Lambert | Malware | [Green Lambert](https://attack.mitre.org/software/S0690) can add [Login Items](https://attack.mitre.org/techniques/T1547/015) to establish persistence... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) can persist via startup options for Login items.(Citation: Red Canary NETWIRE January 2020) |
| S0281 | Dok | Malware | [Dok](https://attack.mitre.org/software/S0281) uses AppleScript to install a login Item by sending Apple events to the <code>System Events</code> proc... |
References
- Apple. (2016, September 13). Adding Login Items. Retrieved July 11, 2017.
- Apple. (2018, June 4). Launch Services Keys. Retrieved October 5, 2021.
- Apple. (n.d.). Launch Services. Retrieved October 5, 2021.
- Apple. (n.d.). Login Items AE. Retrieved October 4, 2021.
- Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021.
- fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved November 17, 2024.
- hoakley. (2018, May 22). Running at startup: when to use a Login Item or a LaunchAgent/LaunchDaemon. Retrieved October 5, 2021.
- hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021.
- kaloprominat. (2013, July 30). macos: manage add list remove login items apple script. Retrieved October 5, 2021.
- Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.
Frequently Asked Questions
What is T1547.015 (Login Items)?
T1547.015 is a MITRE ATT&CK technique named 'Login Items'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically la...
How can T1547.015 be detected?
Detection of T1547.015 (Login Items) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547.015?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1547.015?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.