Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0121: Detection Strategy for T1547.015 – Login Items on macOS

DET0121 is a detection strategy tied to ATT&CK technique T1547.015, Login Items on macOS. The business significance is persistence: if an unwanted applicat...

EnterpriseDET0121Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0121 is a detection strategy tied to ATT&CK technique T1547.015, Login Items on macOS. The business significance is persistence: if an unwanted application, document, folder, or server connection is configured to launch at user login, an incident can survive reboots and normal user activity. For leaders, the key decision is whether macOS endpoint visibility and response processes can prove what is configured to auto-start, who changed it, and whether those changes are expected.

Executive priority

Prioritize this where macOS endpoints support business-critical users, privileged administrators, developers, or regulated workflows. The control question is not simply “do we monitor Macs,” but whether the organization can produce audit-ready evidence of login-item changes, investigate suspicious persistence during IR, and remove unauthorized auto-start entries quickly. This also informs budget decisions around endpoint telemetry, managed detection coverage, and macOS hardening standards.

Technical view

This strategy detects behavior related to T1547.015 Login Items, associated with persistence and privilege escalation on macOS. SOC and detection teams should validate visibility into login items created through supported macOS mechanisms such as shared file lists and the Service Management Framework, as described in the related technique context. Detection content should focus on change monitoring, unusual parent processes or scripting activity, newly registered auto-start items, and correlation with user/session context. IR teams should include login-item review in macOS persistence triage and post-containment validation.

Likely telemetry

  • macOS endpoint security or EDR events showing login-item additions, modifications, or removals
  • File system and configuration change records related to user auto-start locations or shared file list artifacts
  • Process execution telemetry for scripting or management tools that create or modify login items
  • User logon/session context to determine whether an item launches at login
  • Application inventory and code-signing or provenance metadata for items configured to auto-start

Detection direction

  • Baseline approved login items for managed macOS systems and alert on new or modified entries outside expected deployment paths.
  • Correlate login-item changes with the initiating user, parent process, timestamp, and endpoint management activity to reduce false positives from legitimate software installation or IT administration.
  • Tune separately for developer, administrator, and standard-user systems because normal auto-start behavior can vary significantly by role.
  • During investigations, compare configured login items against recent process execution and login events to determine whether the persistence mechanism actually executed.
  • Watch for blind spots where macOS telemetry is limited to process events but does not capture configuration changes that cause execution at login.

Mitigation priorities

  • Define an approved-login-item standard for managed macOS devices, especially privileged and high-value users.
  • Ensure endpoint management and security tooling can inventory and remove unauthorized login items.
  • Restrict local administrative rights where feasible so persistence-related configuration changes are easier to govern and investigate.
  • Include login-item checks in macOS incident response playbooks, containment validation, and compliance evidence collection.
  • Review legitimate software deployment processes so detections can distinguish expected enterprise changes from suspicious persistence.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy record for DET0121 and does not include an official description, detection logic, tactics, or platforms on the object itself. The actionable context comes from its relationship to T1547.015 Login Items, which supplies macOS platform context and the persistence/privilege-escalation relevance.

This take is based only on the provided STIX fields, the MITRE external reference, and the relationship to T1547.015. It does not assert active exploitation, actor attribution, vendor coverage, or guaranteed detection. Local macOS fleet configuration, EDR capabilities, MDM practices, and approved software baselines are required to turn this into production detection content.

Official MITRE ATT&CK definition

Detection Strategy for T1547.015 – Login Items on macOS

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1547.015 Login Items Sub-technique This object detects Login Items.
Relationship explorer

All related ATT&CK context

detects · Technique T1547.015: Login Items Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1cd6f6f59a13b004...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1cd6f6f59a13…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0121
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use