Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0340: Analytic 0340

Creation or modification of Login Items using AppleScript or Service Management Framework. Detection focuses on file creation/modification of `backgrounditems.btm`, new executables in `Contents/Library/LoginItems/`, use of `SMLoginItemSetEnabled` API, or suspicious processes triggered post-login without user interaction. Behavioral pivot includes anomalous AppleEvents, suspicious parent-child process pairs, and login-triggered execution chains.

EnterpriseAN0340AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about detecting macOS persistence risk through creation or modification of Login Items, including changes to backgrounditems.btm, new executables under Contents/Library/LoginItems/, Service Management Framework usage, and login-triggered execution without clear user interaction. For leaders, the value is confirming whether the organization can see and investigate software that silently starts after a user logs in, which matters for endpoint resilience, incident scoping, and audit evidence on macOS fleets.

Executive priority

Prioritize this where macOS systems support business-critical users, privileged administrators, developers, or executives. The decision point is not just whether an EDR product is deployed, but whether SOC and IR teams can prove visibility into login-startup changes, AppleScript or Service Management behavior, and suspicious post-login process chains. This analytic supports control validation for managed detection, endpoint hardening, and incident readiness, but the supplied ATT&CK object does not provide a specific tactic mapping or confirmed detection logic.

Technical view

SOC and detection teams should validate telemetry for macOS file creation/modification involving backgrounditems.btm and Contents/Library/LoginItems/, process execution around user login, parent-child process relationships, AppleEvents activity, and observable use of the SMLoginItemSetEnabled API where available. IR teams should be prepared to pivot from a changed Login Item to the responsible process, user context, executable path, signing/notarization details if locally available, and subsequent post-login execution chain. Because no official detection query is provided, this should be treated as a detection engineering requirement rather than a ready-to-run rule.

Likely telemetry

  • macOS file creation and modification events for backgrounditems.btm
  • File creation events for executables under Contents/Library/LoginItems/
  • Process creation telemetry around user login sessions
  • Parent-child process relationship data for login-triggered execution
  • AppleEvents-related activity where collected

Detection direction

  • Baseline legitimate Login Item creation and modification patterns for managed software to reduce false positives.
  • Alert on new or modified Login Item artifacts followed by execution after login without clear user interaction.
  • Correlate file changes with initiating process, user, timestamp, and subsequent child processes.
  • Review anomalous AppleEvents and suspicious parent-child process pairs as pivots, not as standalone proof of malicious activity.
  • Validate whether current macOS telemetry captures the specific artifacts named by the analytic; many environments collect process data but miss persistence file changes or API-level context.

Mitigation priorities

  • Ensure macOS endpoint monitoring covers Login Item persistence locations and post-login process execution.
  • Harden software installation and change-control practices for applications that create Login Items.
  • Limit unnecessary user privileges where feasible so persistence changes are easier to govern and investigate.
  • Maintain approved baselines for expected Login Items on managed macOS devices.
  • Integrate this validation into incident response playbooks for macOS persistence triage.
Analyst notes and limits

The object is a detection analytic for macOS and specifically names Login Items, AppleScript, Service Management Framework, backgrounditems.btm, Contents/Library/LoginItems/, SMLoginItemSetEnabled, AppleEvents, parent-child process pairs, and login-triggered execution chains. No relationships, tactics, aliases, labels, or official detection query were supplied, so this take focuses on defensive validation and telemetry requirements rather than adversary attribution or technique mapping.

The supplied ATT&CK fields do not include an official detection implementation, mapped tactics, related techniques, procedures, mitigations, or data source objects. Local macOS configuration, EDR capabilities, logging depth, and enterprise software baselines are required to determine actual coverage and alert quality.

Official MITRE ATT&CK definition

Analytic 0340

Creation or modification of Login Items using AppleScript or Service Management Framework. Detection focuses on file creation/modification of `backgrounditems.btm`, new executables in `Contents/Library/LoginItems/`, use of `SMLoginItemSetEnabled` API, or suspicious processes triggered post-login without user interaction. Behavioral pivot includes anomalous AppleEvents, suspicious parent-child process pairs, and login-triggered execution chains.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b2c5546f3534a54c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b2c5546f3534…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0340
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use