T1547.015 Login Items in MITRE ATT&CK Explained

Sıla Özeren Hacıoğlu | 2 MIN READ

| April 03, 2026

What Is T1547.015 Login Items in MITRE ATT&CK?

T1547.015 Login Items is a technique in the MITRE ATT&CK framework under the Persistence tactic. It refers to the use of Login Items in macOS to automatically launch programs or scripts during user login.

Login Items are applications or scripts that are configured to start automatically when a user logs into their macOS environment. These items are managed within the system settings and are intended to enhance user experience by automatically launching commonly used programs or services upon login. This functionality, however, can be exploited to ensure that malicious software runs each time the user logs into their system.

To read about other sub-techniques of the T1547 Boot Logon or Auto Start Execution technique, you can visit the related hub blog.

Adversary Use of T1547.015 Login Items

Adversaries exploit macOS login items to launch malicious software automatically upon user login, aiming for persistence or privilege escalation. These login items, including applications, documents, folders, or server connections, are added using scripting languages like AppleScript. Particularly in macOS versions prior to 10.5, AppleScript is utilized to send Apple events to the "System Events" process, manipulating login items for malicious purposes.

Additionally, adversaries may employ Native API calls, leveraging the Service Management Framework, which involves API calls such as SMLoginItemSetEnabled. This technique enables the discreet insertion of harmful programs into the user's login sequence. By using both shared file list login items and the Service Management Framework, adversaries effectively maintain a stealthy presence within the system.

Here's an example of a command that adversaries might use [1].

tell application "System Events" to make login item at end with properties {path:"/path/to/malicious/executable", hidden:true}.

When executed, this command adds the specified path to the list of applications that automatically start upon user login, with the hidden:true property ensuring the application runs without displaying any visible interface to the user. This stealthy method allows the malicious software to execute unnoticed, achieving persistence on the system.

Such an attack technique is challenging to mitigate with preventive controls due to its reliance on the abuse of legitimate system features. The script leverages standard macOS functionalities designed for user convenience, making it difficult to distinguish between benign and malicious use without impacting normal operations.