MITRE ATT&CK Technique
Description
MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them (Citation: Adding Login Items). Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). These login items are stored in the user's <code>~/Library/Preferences/</code> directory in a plist file called <code>com.apple.loginitems.plist</code> (Citation: Methods of Mac Malware Persistence). Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). The API method <code> SMLoginItemSetEnabled </code> can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1155) can do this as well (Citation: Adding Login Items).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'MacOS provides the option to list specific applications to '
'run when a user logs in. These applications run under the '
"logged in user's context, and will be started every time the "
'user logs in. Login items installed using the Service '
'Management Framework are not visible in the System '
'Preferences and can only be removed by the application that '
'created them (Citation: Adding Login Items). Users have '
'direct control over login items installed using a shared file '
'list which are also visible in System Preferences (Citation: '
'Adding Login Items). These login items are stored in the '
"user's <code>~/Library/Preferences/</code> directory in a "
'plist file called <code>com.apple.loginitems.plist</code> '
'(Citation: Methods of Mac Malware Persistence). Some of these '
'applications can open visible dialogs to the user, but they '
'don’t all have to since there is an option to ‘Hide’ the '
'window. If an adversary can register their own login item or '
'modified an existing one, then they can use it to execute '
'their code for a persistence mechanism each time the user '
'logs in (Citation: Malware Persistence on OS X) (Citation: '
'OSX.Dok Malware). The API method <code> SMLoginItemSetEnabled '
'</code> can be used to set Login Items, but scripting '
'languages like '
'[AppleScript](https://attack.mitre.org/techniques/T1155) can '
'do this as well (Citation: Adding Login Items).',
'external_references': [{'external_id': 'T1162',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1162'},
{'description': 'Apple. (2016, September 13). Adding '
'Login Items. Retrieved July 11, '
'2017.',
'source_name': 'Adding Login Items',
'url': 'https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html'},
{'description': 'Patrick Wardle. (2014, September). '
'Methods of Malware Persistence on '
'Mac OS X. Retrieved July 5, 2017.',
'source_name': 'Methods of Mac Malware Persistence',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'},
{'description': 'Patrick Wardle. (2015). Malware '
'Persistence on OS X Yosemite. '
'Retrieved July 10, 2017.',
'source_name': 'Malware Persistence on OS X',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'},
{'description': 'Thomas Reed. (2017, July 7). New '
'OSX.Dok malware intercepts web '
'traffic. Retrieved July 10, 2017.',
'source_name': 'OSX.Dok Malware',
'url': 'https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/'},
{'external_id': 'CAPEC-564',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/564.html'}],
'id': 'attack-pattern--36675cd3-fe00-454c-8516-aebecacbe9d9',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:38.718Z',
'name': 'Login Item',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.1'}