Startup Item File Created - MacOS
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Sigma rule (View on GitHub)
1title: Startup Item File Created - MacOS
2id: dfe8b941-4e54-4242-b674-6b613d521962
3status: test
4description: |
5 Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.
6 Adversaries may use startup items automatically executed at boot initialization to establish persistence.
7 Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md
10 - https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
11author: Alejandro Ortuno, oscd.community
12date: 2020-10-14
13modified: 2024-08-11
14tags:
15 - attack.persistence
16 - attack.privilege-escalation
17 - attack.t1037.005
18logsource:
19 category: file_event
20 product: macos
21detection:
22 selection:
23 TargetFilename|startswith:
24 - '/Library/StartupItems/'
25 - '/System/Library/StartupItems'
26 TargetFilename|endswith: '.plist'
27 condition: selection
28falsepositives:
29 - Legitimate administration activities
30level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Explains how to write background processes that perform work on behalf of applications or serve content over the network.
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Addition of SID History to Active Directory Object