T1547.015: Login Items
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.[1] Login items can be added via a shared file list or Service Management Framework.[2] Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.
Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.[2][3] Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.[4] Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.
Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.[5] Prior to version 10.5 on macOS, adversaries can add login items by using AppleScript to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.[6] Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.[7][8][9] This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.[7] Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.[10][11][12]
Analyst context for executives and security teams
Login Items are a macOS autostart mechanism that can run applications, documents, folders, server connections, or related helper components when a user logs in. For security leaders, the risk is not that Login Items are inherently malicious, but that they are normal enough to blend into daily workstation behavior while giving an intruder persistence after reboot or relogin. This matters most in environments where macOS endpoints support privileged users, developers, executives, or remote access workflows.
Executive priority
Treat this as a macOS persistence and privilege-escalation validation item. Leaders should ask whether endpoint controls, SOC monitoring, and IR playbooks can identify unauthorized additions or changes to Login Items, including items created through mechanisms that may not appear in System Preferences. The business decision value is resilience: if an attacker can survive user logins unnoticed, containment, credential cleanup, and audit evidence become less reliable.
Technical view
ATT&CK maps Login Items to macOS under persistence and privilege escalation, as a sub-technique of Boot or Logon Autostart Execution. The object describes two important implementation paths: shared file list login items, which can be visible in System Preferences and executed through LaunchServices, and Service Management Framework login items using SMLoginItemSetEnabled, which leverage launchd and may not be visible in System Preferences. SOC and IR teams should validate monitoring for creation or modification of login item configuration, background task management artifacts such as ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, suspicious AppleScript or Native API activity associated with adding login items, and execution of newly registered items at user login. Relationship context notes that NETWIRE, Dok, and Green Lambert are associated with use of this technique, so detections should be tested against generic behavior rather than only known malware names.
Likely telemetry
- macOS endpoint security or EDR events for login item creation, modification, and execution at user login
- File-system monitoring for user-level Login Item and background task management artifacts, including backgrounditems.btm where available
- Process telemetry showing AppleScript, LaunchServices, launchd-related helper activity, or application helper components associated with login startup
- API or application behavior indicating use of the Service Management Framework, including SMLoginItemSetEnabled where observable
- User and application inventory showing expected business-approved login items versus newly introduced or unusual entries
Detection direction
- Baseline legitimate Login Items for managed macOS fleets, because email, chat, music, and other user applications commonly use this mechanism and can create false positives.
- Detect newly added, modified, hidden, or unusual Login Items, especially those pointing to uncommon paths, recently created executables, remote-control tooling, or items introduced shortly before suspicious login activity.
- Do not rely only on System Preferences visibility; ATT&CK notes that Service Management Framework login items may not be visible there and may require different endpoint or launchd-aware telemetry.
- Correlate login item changes with AppleScript and Native API activity where telemetry supports it, since the ATT&CK description identifies those as creation methods.
- Use the related detection strategy DET0121 as a validation reference, but confirm locally what data sources it requires and whether the organization actually collects them.
Mitigation priorities
- Prioritize managed macOS configuration and application governance so only approved software can establish persistent login behavior.
- Maintain an inventory of authorized Login Items and require change control or MDM-managed deployment for business applications that need login startup.
- Ensure endpoint protection and logging can observe both shared file list Login Items and Service Management Framework-based items, not just what is visible to users.
- Include Login Items in macOS incident response triage, persistence eradication, and post-containment validation before returning a host to service.
- Review user privilege practices and credential-prompt handling, since the technique can be used in privilege-escalation workflows by prompting for user credentials.
Analyst notes and limits
This take is based on ATT&CK T1547.015 version 1.1 in enterprise-attack. The object has no official ATT&CK detection text, but it does have a relationship to detection strategy DET0121 and documented software relationships for NETWIRE, Dok, and Green Lambert. The most important defensive distinction is visibility: some Login Items may be user-visible, while Service Management Framework items may not be visible in System Preferences.
The supplied ATT&CK fields do not provide detailed detection logic, data components, mitigations, prevalence, or active exploitation status. Local macOS version, MDM/EDR capability, user privilege model, and application inventory are required to determine actual exposure and coverage.
Login Items
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.[1] Login items can be added via a shared file list or Service Management Framework.[2] Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.
Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.[2][3] Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.[4] Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.
Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.[5] Prior to version 10.5 on macOS, adversaries can add login items by using AppleScript to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.[6] Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.[7][8][9] This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.[7] Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.[10][11][12]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547 | Boot or Logon Autostart Execution | This object subtechnique of Boot or Logon Autostart Execution. |
Groups, software, and campaigns
S0690: Green Lambert
Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[1][2]
S0198: NETWIRE
S0281: Dok
Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | fe291268985f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Open Login Items Apple
Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021.
Open source URL -
[2]
Adding Login Items
Apple. (2016, September 13). Adding Login Items. Retrieved July 11, 2017.
Open source URL -
[3]
SMLoginItemSetEnabled Schroeder 2013
Tim Schroeder. (2013, April 21). SMLoginItemSetEnabled Demystified. Retrieved November 17, 2024.
Open source URL -
[4]
Launch Services Apple Developer
Apple. (n.d.). Launch Services. Retrieved October 5, 2021.
Open source URL -
[5]
ELC Running at startup
hoakley. (2018, May 22). Running at startup: when to use a Login Item or a LaunchAgent/LaunchDaemon. Retrieved October 5, 2021.
Open source URL -
[6]
Login Items AE
Apple. (n.d.). Login Items AE. Retrieved October 4, 2021.
Open source URL -
[7]
Startup Items Eclectic
hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021.
Open source URL -
[8]
hexed osx.dok analysis 2019
fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved November 17, 2024.
Open source URL -
[9]
Add List Remove Login Items Apple Script
kaloprominat. (2013, July 30). macos: manage add list remove login items apple script. Retrieved October 5, 2021.
Open source URL -
[10]
objsee mac malware 2017
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
Open source URL -
[11]
CheckPoint Dok
Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.
Open source URL -
[12]
objsee netwire backdoor 2019
Patrick Wardle. (2019, June 20). Burned by Fire(fox). Retrieved October 1, 2021.
Open source URL -
[13]
Launch Service Keys Developer Apple
Apple. (2018, June 4). Launch Services Keys. Retrieved October 5, 2021.
Open source URL -
[14]
mitre-attack T1547.015Open source URL
-
[15]
objsee block blocking login items
Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021.
Open source URL -
[16]
sentinelone macos persist Jun 2019
Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.
Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.