Common Information
| Type | Value |
|---|---|
| Value |
Login Item - T1162 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them (Citation: Adding Login Items). Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). These login items are stored in the user's <code>~/Library/Preferences/</code> directory in a plist file called <code>com.apple.loginitems.plist</code> (Citation: Methods of Mac Malware Persistence). Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). Detection: All the login items are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area should be monitored and whitelisted for known good applications. Monitor process execution resulting from login actions for unusual or unknown applications. Platforms: macOS Permissions Required: User |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-08-13 | 22 | Objective-See: Blog | ||
| Details | Website | 2024-01-01 | 113 | The Mac Malware of 2023 👾 | ||
| Details | Website | 2023-11-01 | 44 | Elastic catches DPRK passing out KANDYKORN — Elastic Security Labs | ||
| Details | Website | 2023-10-31 | 3 | App Installers for Jamf School | ||
| Details | Website | 2023-05-03 | 32 | Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram | ||
| Details | Website | 2023-03-21 | 1 | macOS (Not)ifications | ||
| Details | Website | 2023-01-01 | 123 | The Mac Malware of 2022 👾 | ||
| Details | Website | 2022-10-11 | 0 | 5 Ways to Remove Adware on Mac | ||
| Details | Website | 2022-06-13 | 3 | Apple’s macOS Ventura | 7 New Security Changes to Be Aware Of | ||
| Details | Website | 2022-05-21 | 52 | OS X Malware Samples Analyzed | ||
| Details | Website | 2022-03-14 | 0 | Auto-fill Logins on Android | Bitwarden Help Center | ||
| Details | Website | 2022-02-21 | 24 | macOS下宏攻击的复现与研究 | ||
| Details | Website | 2022-01-01 | 0 | Open items automatically when you log in on Mac | ||
| Details | Website | 2021-05-22 | 6 | macOS MS Office Sandbox Brain Dump | ||
| Details | Website | 2021-03-10 | 2 | Creating Shield | ||
| Details | Website | 2020-08-04 | 27 | Office Drama on macOS | ||
| Details | Website | 2020-01-01 | 131 | The Mac Malware of 2019 👾 | ||
| Details | Website | 2019-07-09 | 219 | OSX.Dok Analysis | ||
| Details | Website | 2019-06-27 | 16 | Threat Source newsletter (June 27, 2019) | ||
| Details | Website | 2019-06-20 | 14 | Burned by Fire(fox) | ||
| Details | Website | 2019-06-20 | 13 | Burned by Fire(fox) | ||
| Details | Website | 2019-04-24 | 11 | Introducing Venator: A macOS tool for proactive detection | ||
| Details | Website | 2019-01-01 | 123 | The Mac Malware of 2018 | ||
| Details | Website | 2018-12-20 | 16 | Middle East Cyber-Espionage | ||
| Details | Website | 2018-07-23 | 0 | Block Blocking Login Items |