Startup Items
Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.
Sigma rule (View on GitHub)
1title: Startup Items
2id: dfe8b941-4e54-4242-b674-6b613d521962
3status: test
4description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md
7author: Alejandro Ortuno, oscd.community
8date: 2020/10/14
9modified: 2022/07/11
10tags:
11 - attack.persistence
12 - attack.privilege_escalation
13 - attack.t1037.005
14logsource:
15 category: file_event
16 product: macos
17detection:
18 selection:
19 - TargetFilename|contains: '/Library/StartupItems/'
20 - TargetFilename|endswith: '.plist'
21 condition: selection
22falsepositives:
23 - Legitimate administration activities
24level: low
References
Related rules
- MacOS Emond Launch Daemon
- Addition of SID History to Active Directory Object
- MITRE BZAR Indicators for Persistence
- Scheduled Task/Job At
- Password Change on Directory Service Restore Mode (DSRM) Account