Suspicious StartupItem Plist Creation

 1[metadata]
 2creation_date = "2026/01/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/01/30"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects the creation or modification of a StartupParameters.plist file, indicating the presence of a 
11StartupItem on the system. StartupItems have been deprecated on modern macOS systems (post Mavericks) 
12in favor of Launch Daemons but still function. Creation of a StartupItem should be highly suspicious 
13as legitimate applications no longer use this method for persistence.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.file-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious StartupItem Plist Creation"
20references = [
21    "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
22]
23risk_score = 73
24rule_id = "15606250-449d-46a8-aaff-4043e42aefb9"
25severity = "high"
26tags = [
27    "Domain: Endpoint",
28    "OS: macOS",
29    "Use Case: Threat Detection",
30    "Tactic: Persistence",
31    "Data Source: Elastic Defend",
32    "Resources: Investigation Guide"
33]
34timestamp_override = "event.ingested"
35type = "eql"
36note = """## Triage and analysis
37
38> **Disclaimer**:
39> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
40
41### Investigating Suspicious StartupItem Plist Creation
42
43StartupItems are a deprecated macOS persistence mechanism that predates LaunchDaemons and was phased out after OS X Mavericks. Despite deprecation, the StartupItem infrastructure still functions on modern macOS versions for backward compatibility. Because legitimate software no longer uses StartupItems, the creation of a StartupParameters.plist file in /Library/StartupItems/ or /System/Library/StartupItems/ is highly anomalous and strongly indicates malicious activity seeking persistence through an overlooked mechanism.
44
45### Possible investigation steps
46
47- Examine the file.path to identify the specific StartupItem directory and verify that it was newly created versus modified.
48- Review the StartupParameters.plist contents using plutil to identify the Description, Provides, OrderPreference, and other configuration values.
49- Locate the StartupItem script in the same directory (typically named after the item) and analyze its contents for malicious commands.
50- Check the process.executable that created the StartupItem to understand the initial delivery mechanism.
51- Review file creation timestamps to correlate the StartupItem creation with other suspicious activity on the system.
52- Search for additional files or binaries that may have been deployed alongside the StartupItem.
53- Check for corresponding entries in /etc/rc files that may interact with the StartupItem.
54
55### False positive analysis
56
57- Very old legacy applications may use StartupItems for backward compatibility. Verify the software's legitimacy and whether it is still supported.
58- Some enterprise or industrial software may not have been updated to use modern persistence mechanisms. Confirm with IT operations if legacy software is expected.
59- Apple's shove process is already excluded in the query as it may interact with StartupItem directories during system maintenance.
60
61### Response and remediation
62
63- Remove the entire StartupItem directory containing the malicious StartupParameters.plist and associated scripts.
64- Verify that the StartupItem was not successfully executed by checking system logs for execution evidence.
65- Reboot the system to confirm the StartupItem has been fully removed and no longer executes.
66- Investigate the initial access vector that allowed creation of the StartupItem.
67- Search for other deprecated persistence mechanisms on the system that may indicate comprehensive malware deployment.
68- Review other systems in the environment for similar StartupItem creations.
69- Monitor the /Library/StartupItems/ directory for future unauthorized file creation.
70- Consider implementing file integrity monitoring on persistence directories to detect future modifications.
71"""
72query = '''
73file where host.os.type == "macos" and event.type != "deletion" and 
74  file.name == "StartupParameters.plist" and 
75  file.path like ("/System/Library/StartupItems/*/StartupParameters.plist", 
76  "/Library/StartupItems/*/StartupParameters.plist") and
77  not (process.code_signature.signing_id == "com.apple.shove" and process.code_signature.trusted == true)
78'''
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82
83  [rule.threat.tactic]
84  name = "Persistence"
85  id = "TA0003"
86  reference = "https://attack.mitre.org/tactics/TA0003/"
87
88  [[rule.threat.technique]]
89  name = "Boot or Logon Initialization Scripts"
90  id = "T1037"
91  reference = "https://attack.mitre.org/techniques/T1037/"
92
93    [[rule.threat.technique.subtechnique]]
94    name = "Startup Items"
95    id = "T1037.005"
96    reference = "https://attack.mitre.org/techniques/T1037/005/"