System

Login Items & Persistence

Overview

Beyond Launch Agents and Launch Daemons (covered separately), macOS provides several additional persistence mechanisms that cause programs to execute automatically. Login Items run when a user logs in, cron and at jobs execute on schedules, periodic scripts run daily/weekly/monthly, and login/logout hooks execute shell scripts during the authentication process. Collectively, these represent the full persistence landscape that must be examined during a forensic investigation.

Forensic Significance

MechanismForensic Value
Login ItemsApplications auto-starting at user login
Cron jobsScheduled command execution
At jobsOne-time scheduled commands
Periodic scriptsDaily/weekly/monthly maintenance scripts
Login/logout hooksScripts run during authentication
Kernel extensionsCode loaded into the kernel
System extensionsModern kernel extension replacements
Authorization pluginsAuthentication process customisation
Configuration profilesMDM-installed policies and settings

File Locations

MechanismPathFormat
Login Items (modern)~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btmBinary
Login Items (legacy)~/Library/Preferences/com.apple.loginitems.plistPlist
Cron jobs (user)/usr/lib/cron/tabs/<username>Crontab
Cron jobs (system)/etc/crontabCrontab
At jobs/usr/lib/cron/jobs/Text
Periodic scripts/etc/periodic/daily/, /etc/periodic/weekly/, /etc/periodic/monthly/Scripts
Custom periodic/usr/local/etc/periodic/Scripts
Login hooks/var/root/Library/Preferences/com.apple.loginwindow.plistPlist
Startup Items (deprecated)/Library/StartupItems/, /System/Library/StartupItems/Directory
Kernel extensions/Library/Extensions/*.kextBundle
System extensions/Library/SystemExtensions/Bundle
Auth plugins/Library/Security/SecurityAgentPlugins/Bundle
Config profiles/var/db/ConfigurationProfiles/Plist

Key Fields for Analysis

Login Items

# Modern login items (macOS 13+)
sfltool dumpbtm

# Legacy login items
defaults read ~/Library/Preferences/com.apple.loginitems.plist 2>/dev/null

Cron Jobs

# List current user's cron jobs
crontab -l

# List all user cron tabs
ls -la /usr/lib/cron/tabs/

# System crontab
cat /etc/crontab

Login/Logout Hooks

# Check for login hooks
defaults read /var/root/Library/Preferences/com.apple.loginwindow LoginHook 2>/dev/null
defaults read /var/root/Library/Preferences/com.apple.loginwindow LogoutHook 2>/dev/null

Kernel/System Extensions

# Loaded kernel extensions
kextstat | grep -v com.apple

# System extensions
systemextensionsctl list

Configuration Profiles

# List installed profiles
profiles list

Analysis Notes

  • Full persistence audit: A thorough forensic examination must check all persistence mechanisms, not just Launch Agents/Daemons. Attackers specifically target less-monitored mechanisms like cron jobs and login hooks.
  • Login hooks are rare: Apple deprecated login/logout hooks. Their presence on a modern system is unusual and warrants investigation.
  • Startup Items are legacy: /Library/StartupItems/ is a pre-launchd mechanism. Items here on modern macOS are highly suspicious.
  • Kernel extension restrictions: Since macOS 11, third-party kernel extensions require explicit user approval and a reboot. Unauthorized kexts indicate significant compromise.
  • Configuration profiles: MDM profiles in /var/db/ConfigurationProfiles/ can modify system behaviour extensively. On unmanaged systems, installed profiles are suspicious.
  • Cron vs. launchd: Apple discourages cron usage in favour of launchd. Cron jobs on a Mac are less common and deserve scrutiny, especially if they execute from unusual locations.

Tool Support

ToolSupport
macforNot yet implemented (planned)
sfltool (macOS built-in)Dump login items
KnockKnock (Objective-See)Comprehensive persistence scanner
BlockBlock (Objective-See)Real-time persistence monitoring
Autoruns for MacPersistence enumeration

References

Previous
User Accounts
Next
Audit Trail (BSM)