Detectionlowtest
Startup Item File Created - MacOS
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Alejandro Ortuno, oscd.communityCreated Wed Oct 14Updated Sun Aug 11dfe8b941-4e54-4242-b674-6b613d521962macos
Log Source
macOSFile Event
ProductmacOS← raw: macos
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetFilename|startswith:
- '/Library/StartupItems/'
- '/System/Library/StartupItems'
TargetFilename|endswith: '.plist'
condition: selectionFalse Positives
Legitimate administration activities
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
dfe8b941-4e54-4242-b674-6b613d521962
Status
test
Level
low
Type
Detection
Created
Wed Oct 14
Modified
Sun Aug 11
Author
Path
rules/macos/file_event/file_event_macos_susp_startup_item_created.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1037.005