MITRE ATT&CK Technique
Description
Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items (Citation: Startup Items). This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory. An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as root. If an adversary is able to modify an existing Startup Item, then they will be able to Privilege Escalate as well.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Per Apple’s documentation, startup items execute during the '
'final phase of the boot process and contain shell scripts or '
'other executable files along with configuration information '
'used by the system to determine the execution order for all '
'startup items (Citation: Startup Items). This is technically '
'a deprecated version (superseded by Launch Daemons), and thus '
'the appropriate folder, <code>/Library/StartupItems</code> '
'isn’t guaranteed to exist on the system by default, but does '
'appear to exist by default on macOS Sierra. A startup item is '
'a directory whose executable and configuration property list '
'(plist), <code>StartupParameters.plist</code>, reside in the '
'top-level directory. \n'
'\n'
'An adversary can create the appropriate folders/files in the '
'StartupItems directory to register their own persistence '
'mechanism (Citation: Methods of Mac Malware Persistence). '
'Additionally, since StartupItems run during the bootup phase '
'of macOS, they will run as root. If an adversary is able to '
'modify an existing Startup Item, then they will be able to '
'Privilege Escalate as well.',
'external_references': [{'external_id': 'T1165',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1165'},
{'description': 'Apple. (2016, September 13). Startup '
'Items. Retrieved July 11, 2017.',
'source_name': 'Startup Items',
'url': 'https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html'},
{'description': 'Patrick Wardle. (2014, September). '
'Methods of Malware Persistence on '
'Mac OS X. Retrieved July 5, 2017.',
'source_name': 'Methods of Mac Malware Persistence',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'}],
'id': 'attack-pattern--2ba5aa71-9d15-4b22-b726-56af06d9ad2f',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:34.254Z',
'name': 'Startup Items',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.1'}