Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Persistence
  4. >ATTACK-T1547.015
ATTACK-T1547.015Active

Login Items

Statement

Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.

Login items installed using the Service Management Framework leverage <code>launchd</code>, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.

Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using AppleScript to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as <code>tell application “System Events” to make login item at end with properties /path/to/executable</code>.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in <code>~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code>.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)

Location

Tactic
Persistence

Technique Details

Identifier
ATTACK-T1547.015
Parent Technique
ATTACK-T1547
ATT&CK Page
View on MITRE

Tactics

PersistencePrivilege Escalation

Platforms

macOS

Detection

Detection Strategy for T1547.015 – Login Items on macOS

No cross-framework mappings available

← Back to Persistence
Persistence80 controls
ATTACK-T1037Boot or Logon Initialization ScriptsATTACK-T1037.001Logon Script (Windows)ATTACK-T1037.002Login HookATTACK-T1037.003Network Logon ScriptATTACK-T1037.004RC ScriptsATTACK-T1037.005Startup ItemsATTACK-T1098Account ManipulationATTACK-T1098.001Additional Cloud CredentialsATTACK-T1098.002Additional Email Delegate PermissionsATTACK-T1098.003Additional Cloud RolesATTACK-T1098.004SSH Authorized KeysATTACK-T1098.005Device RegistrationATTACK-T1098.006Additional Container Cluster RolesATTACK-T1098.007Additional Local or Domain GroupsATTACK-T1133External Remote ServicesATTACK-T1136Create AccountATTACK-T1136.001Local AccountATTACK-T1136.002Domain AccountATTACK-T1136.003Cloud AccountATTACK-T1137Office Application StartupATTACK-T1137.001Office Template MacrosATTACK-T1137.002Office TestATTACK-T1137.003Outlook FormsATTACK-T1137.004Outlook Home PageATTACK-T1137.005Outlook RulesATTACK-T1137.006Add-insATTACK-T1176Software ExtensionsATTACK-T1176.001Browser ExtensionsATTACK-T1176.002IDE ExtensionsATTACK-T1505Server Software ComponentATTACK-T1505.001SQL Stored ProceduresATTACK-T1505.002Transport AgentATTACK-T1505.003Web ShellATTACK-T1505.004IIS ComponentsATTACK-T1505.005Terminal Services DLLATTACK-T1505.006vSphere Installation BundlesATTACK-T1525Implant Internal ImageATTACK-T1542.001System FirmwareATTACK-T1542.002Component FirmwareATTACK-T1542.003BootkitATTACK-T1543Create or Modify System ProcessATTACK-T1543.001Launch AgentATTACK-T1543.002Systemd ServiceATTACK-T1543.003Windows ServiceATTACK-T1543.004Launch DaemonATTACK-T1543.005Container ServiceATTACK-T1546.017Udev RulesATTACK-T1546.018Python Startup HooksATTACK-T1547Boot or Logon Autostart ExecutionATTACK-T1547.001Registry Run Keys / Startup FolderATTACK-T1547.002Authentication PackageATTACK-T1547.003Time ProvidersATTACK-T1547.004Winlogon Helper DLLATTACK-T1547.005Security Support ProviderATTACK-T1547.006Kernel Modules and ExtensionsATTACK-T1547.007Re-opened ApplicationsATTACK-T1547.008LSASS DriverATTACK-T1547.009Shortcut ModificationATTACK-T1547.010Port MonitorsATTACK-T1547.012Print ProcessorsATTACK-T1547.013XDG Autostart EntriesATTACK-T1547.014Active SetupATTACK-T1547.015Login ItemsATTACK-T1554Compromise Host Software BinaryATTACK-T1574Hijack Execution FlowATTACK-T1574.001DLLATTACK-T1574.004Dylib HijackingATTACK-T1574.005Executable Installer File Permissions WeaknessATTACK-T1574.006Dynamic Linker HijackingATTACK-T1574.007Path Interception by PATH Environment VariableATTACK-T1574.008Path Interception by Search Order HijackingATTACK-T1574.009Path Interception by Unquoted PathATTACK-T1574.010Services File Permissions WeaknessATTACK-T1574.011Services Registry Permissions WeaknessATTACK-T1574.012COR_PROFILERATTACK-T1574.013KernelCallbackTableATTACK-T1574.014AppDomainManagerATTACK-T1653Power SettingsATTACK-T1668Exclusive ControlATTACK-T1671Cloud Application Integration