Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1197: Analytic 1197

Detects the modification or addition of Launch Agents or Startup Items to establish persistence. Adversaries may write plist or executable files to ~/Library/LaunchAgents/, /Library/StartupItems/, or similar directories and configure them to run at user or system boot. Detection requires correlating file creation or modification events with subsequent user logon or boot-time process execution.

EnterpriseAN1197AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about a common macOS persistence pattern: changes to Launch Agents or Startup Items that cause code to run when a user logs in or the system boots. For security leaders, its value is not just “detect a file write,” but confirming whether the organization can connect persistence-related file changes to later startup or logon execution. That correlation is what helps distinguish routine software behavior from activity that may require incident response.

Executive priority

Prioritize this where macOS endpoints are material to business operations, privileged users, developer workstations, or regulated evidence requirements. The business question is whether SOC and IR teams can prove they see both sides of the behavior: creation or modification of persistence files and the later execution at boot or user logon. If that evidence is missing, response teams may struggle to scope persistence, validate containment, or demonstrate endpoint monitoring coverage during an audit or investigation.

Technical view

For macOS, validate collection and correlation for file creation or modification in Launch Agent and Startup Item locations, including ~/Library/LaunchAgents/ and /Library/StartupItems/, and correlate those events with process execution after user logon or system boot. Because the official detection field is not provided and no relationships are supplied, teams should treat this as a detection validation objective rather than a complete rule. Focus on whether the analytic can identify new or changed plist or executable files in relevant directories and then tie them to subsequent execution context.

Likely telemetry

  • macOS file creation and modification events for Launch Agent and Startup Item paths
  • File path, filename, file hash, owner, permissions, and timestamp metadata where available
  • Process execution telemetry after user logon or system boot
  • User logon and system boot timing data
  • Endpoint security or EDR events that link parent and child processes to persistence file execution

Detection direction

  • Validate that macOS endpoint telemetry covers ~/Library/LaunchAgents/, /Library/StartupItems/, and similar persistence directories used in the environment.
  • Correlate persistence file creation or modification with later execution at user logon or boot rather than alerting only on file writes.
  • Tune for expected administrative tools, operating system components, and legitimate software installers to reduce false positives.
  • Review blind spots on unmanaged macOS hosts, endpoints without file event collection, and telemetry that lacks boot or logon context.
  • Because no ATT&CK relationships are supplied, do not assume a specific adversary, campaign, or technique mapping beyond the analytic description.

Mitigation priorities

  • Ensure macOS endpoints that matter to business operations are under managed endpoint monitoring with file and process telemetry enabled.
  • Establish baselines for approved software that legitimately creates Launch Agents or Startup Items.
  • Restrict unnecessary write access to persistence-related locations where operationally feasible.
  • Include Launch Agent and Startup Item review in macOS incident response and containment playbooks.
  • Use findings from this analytic to support control validation and audit evidence for endpoint monitoring and persistence detection.
Analyst notes and limits

The supplied object is a detection analytic for macOS persistence via Launch Agents or Startup Items. The most important operational point is correlation: file creation or modification alone is weaker than linking the change to execution at logon or boot. Local baselines are essential because legitimate software may use similar mechanisms.

The official detection field is not provided, tactics are not specified, and no relationship context is supplied. This take therefore avoids claims about adversaries, active exploitation, technique linkage, or guaranteed coverage. Final detection logic, severity, and response handling require local macOS fleet telemetry and software baselines.

Official MITRE ATT&CK definition

Analytic 1197

Detects the modification or addition of Launch Agents or Startup Items to establish persistence. Adversaries may write plist or executable files to ~/Library/LaunchAgents/, /Library/StartupItems/, or similar directories and configure them to run at user or system boot. Detection requires correlating file creation or modification events with subsequent user logon or boot-time process execution.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cd890fb2e8431c31...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cd890fb2e843…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1197
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use