DET0429: Detect Modification of macOS Startup Items
This detection strategy is about finding changes to macOS Startup Items, a legacy boot-time mechanism that can be used for persistence and privilege escala...
Analyst context for executives and security teams
This detection strategy is about finding changes to macOS Startup Items, a legacy boot-time mechanism that can be used for persistence and privilege escalation. The business value is not that every environment still uses Startup Items, but that unmanaged legacy persistence paths can create gaps in endpoint visibility, incident scoping, and audit confidence—especially on macOS systems that are older, specialized, or not consistently monitored.
Executive priority
Security leaders should treat this as a coverage-validation item for macOS resilience: do we know whether Startup Items exist in our estate, can we detect unauthorized modification, and would incident responders have evidence to distinguish approved legacy software from persistence activity? Because the related ATT&CK technique is tied to persistence and privilege escalation, this matters for business continuity, endpoint hardening, and compliance evidence around change monitoring and privileged execution paths.
Technical view
The supplied ATT&CK relationship says this strategy detects T1037.005 Startup Items, associated with macOS, persistence, and privilege escalation. SOC and detection teams should validate whether endpoint telemetry captures creation, modification, deletion, ownership, and permission changes for Startup Item locations and associated shell scripts or executable content. Because MITRE does not provide official detection logic for this object, teams should build environment-specific baselines and tune around known administrative or legacy software activity.
Likely telemetry
- macOS file creation, modification, deletion, and metadata-change events for Startup Item-related paths
- File ownership and permission changes on startup-related scripts, executables, and configuration files
- Endpoint process execution telemetry for scripts or binaries launched during boot initialization
- Change-management or software inventory records identifying approved legacy startup components
- EDR or host audit logs that preserve user, process, timestamp, and parent-process context for startup item changes
Detection direction
- Confirm whether the macOS fleet still contains Startup Items, since the related technique notes this is deprecated technology superseded by Launch Daemon.
- Alert on new or modified Startup Item components where the actor, parent process, file owner, permissions, or timing does not match approved administrative activity.
- Prioritize detections that correlate file modification with subsequent boot-time execution evidence, rather than relying only on static file presence.
- Tune false positives using known legacy applications, system management tools, and authorized maintenance windows.
- Identify blind spots where macOS endpoints lack file integrity monitoring, EDR coverage, or boot-time execution logging.
Mitigation priorities
- Inventory macOS systems for legacy Startup Items and determine whether they are still operationally required.
- Remove or replace unnecessary legacy startup mechanisms where business owners approve decommissioning.
- Restrict administrative write access to startup-related locations and monitor privileged changes.
- Maintain change-control evidence for approved startup components so SOC and IR teams can quickly separate expected legacy behavior from suspicious modification.
- Validate that endpoint monitoring covers older or specialized macOS systems, not only standard managed workstations.
Analyst notes and limits
The detection strategy object itself has no official description, no official detection text, and no platforms or tactics directly specified. The practical interpretation comes from its name and the ATT&CK relationship indicating it detects T1037.005 Startup Items, a macOS technique associated with persistence and privilege escalation. The related technique description also notes Startup Items are deprecated and superseded by Launch Daemon, which makes legacy asset discovery and monitoring coverage especially important.
This take does not assert active exploitation, actor usage, customer exposure, or guaranteed detection. Local validation is required to determine whether Startup Items exist in the environment, whether telemetry is collected, and which changes are authorized.
Detect Modification of macOS Startup Items
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1037.005 | Startup Items Sub-technique | This object detects Startup Items. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2cf8c8e669ec… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0429Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.