T1037.005 Startup Items Mappings

Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items)

This is technically a deprecated technology (superseded by Launch Daemon), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory.

An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1037.005 Startup Items
CA-7 Continuous Monitoring Protects T1037.005 Startup Items
CM-2 Baseline Configuration Protects T1037.005 Startup Items
CM-6 Configuration Settings Protects T1037.005 Startup Items
SI-3 Malicious Code Protection Protects T1037.005 Startup Items
SI-4 System Monitoring Protects T1037.005 Startup Items
SI-7 Software, Firmware, and Information Integrity Protects T1037.005 Startup Items
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.005 Boot or Logon Initialization Scripts: Startup Items