Skip to content

Hide Navigation Hide TOC

Startup Item File Created - MacOS (dfe8b941-4e54-4242-b674-6b613d521962)

Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.

Cluster A Galaxy A Cluster B Galaxy B Level
Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f) Attack Pattern Startup Item File Created - MacOS (dfe8b941-4e54-4242-b674-6b613d521962) Sigma-Rules 1
Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f) Attack Pattern Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern 2