Login Items
Login Items [T1547.015]
Information
Name: Login Items
ID: T1547.015
Technique: T1547
Introduction
Login Items (T1547.015) is a sub-technique within the MITRE ATT&CK framework under the "Boot or Logon Autostart Execution" technique (T1547). This sub-technique specifically addresses adversaries leveraging macOS login items to maintain persistence and execute malicious payloads automatically upon user login. Attackers exploit this mechanism to ensure their malicious software runs consistently, granting them sustained access and control over compromised systems.
Deep Dive Into Technique
Login Items on macOS are applications or scripts configured to execute automatically when a user logs into their account. These items are typically managed through graphical interfaces in "System Preferences" or via specific plist files located in user directories. Adversaries aiming to achieve persistence through Login Items typically:
Utilize the
~/Library/Preferences/com.apple.loginitems.plistfile to configure persistence.Employ command-line tools such as
osascriptor AppleScript to programmatically add malicious applications to Login Items.Place malicious executables or scripts in common directories such as
~/Applications,/Applications, or hidden folders within user directories to evade casual detection.Leverage scripting languages (e.g., AppleScript, Python, Bash) to automate the addition of malicious payloads into Login Items.
Modify existing legitimate login items or create new ones, disguising malicious payloads as benign applications or scripts.
Technical mechanisms used by attackers include:
Direct manipulation of plist files using command-line utilities (
defaults write,plutil).Exploiting user permissions to add login items without administrative privileges.
Using AppleScript commands (
osascript -e) to silently add entries to Login Items without alerting the user.
When this Technique is Usually Used
Adversaries commonly use Login Items at various stages of an attack lifecycle, particularly:
Persistence Stage: Ensuring malware survives reboots and user logouts.
Privilege Escalation: Combining with other techniques to elevate privileges or maintain access after escalation.
Defense Evasion: Leveraging legitimate OS features to blend malicious activities with normal system behavior.
Attack scenarios include:
Initial compromise followed by installation of persistent backdoors.
Post-exploitation phases to maintain long-term access to compromised macOS endpoints.
Advanced Persistent Threat (APT) actors embedding persistent implants within macOS environments.
How this Technique is Usually Detected
Detection of malicious Login Items involves monitoring specific system behaviors, configurations, and files:
File System Monitoring:
Track changes to
~/Library/Preferences/com.apple.loginitems.plist.Monitor creation or modification of suspicious files in user directories (
~/Applications, hidden directories).
Process Execution Monitoring:
Identify unexpected execution of scripts or binaries immediately after user login.
Monitor execution of
osascriptor AppleScript commands that modify login items.
Endpoint Detection and Response (EDR) Tools:
Utilize macOS-specific EDR solutions (CrowdStrike Falcon, Carbon Black, Jamf Protect) to detect suspicious login item additions.
Employ macOS built-in auditing tools (
auditd) and third-party monitoring tools to track plist file modifications.
Indicators of Compromise (IoCs):
Unfamiliar or unauthorized entries in login items.
Suspicious or hidden applications/scripts configured to auto-start.
Unexpected network connections initiated immediately after user login.
Why it is Important to Detect This Technique
Early detection of the Login Items sub-technique is critical due to the following potential impacts:
Persistent Access: Attackers leveraging login items can maintain long-term access, enabling continuous data exfiltration, espionage, or sabotage.
Stealthy Operations: Utilizing legitimate OS functionality allows adversaries to remain hidden, complicating detection and remediation efforts.
Privilege Escalation and Lateral Movement: Persistent footholds facilitate further attacks, including privilege escalation, lateral movement, and deeper network penetration.
Operational Disruption: Malicious login items can degrade system performance, stability, and availability, affecting productivity and operational continuity.
Data Exfiltration and Intellectual Property Theft: Persistent malware can facilitate prolonged data exfiltration, potentially resulting in severe financial and reputational damage.
Detecting and mitigating this technique early minimizes potential damage, reduces remediation complexity, and limits attacker dwell time within the compromised environment.
Examples
Real-world examples and scenarios involving the Login Items sub-technique include:
OSX/Shlayer Malware:
Attackers used fake Adobe Flash Player installers to install malicious payloads.
Persistence achieved by adding malicious applications to Login Items through AppleScript commands.
Impact: Persistent adware and spyware infections, unauthorized data collection, and exposure to secondary infections.
FruitFly Malware:
Used Login Items to maintain persistence and execute malicious payloads at user login.
Allowed attackers to remotely control infected systems, capture screenshots, access webcams, and steal user data.
Impact: Severe privacy breaches, unauthorized surveillance, and data exfiltration.
WindTail Malware Campaign:
Targeted macOS users by embedding persistent implants into Login Items.
Leveraged scripting and plist modifications to ensure persistence.
Impact: Long-term espionage, sensitive data theft, and persistent backdoor access.
In each scenario, attackers exploited macOS Login Items to achieve persistent footholds, evade detection, and execute further malicious activities, highlighting the importance of proactive monitoring and detection strategies.
Last updated
Was this helpful?