{
	"id": "227af284-c1f1-4339-b9b2-5d965bca17ec",
	"created_at": "2026-04-06T00:19:08.580231Z",
	"updated_at": "2026-04-10T13:13:03.379206Z",
	"deleted_at": null,
	"sha1_hash": "d205f006ad93c0104bed9ec9faa57049ab561d75",
	"title": "Objective-See's Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 477174,
	"plain_text": "Objective See\r\nproducts malware blog about\r\nBlock Blocking Login Items\r\nparsing apple's login item files to detect persistence\r\n07/23/2018\r\nThere are many ways for code to persist on macOS. One way for applications to persist and thus be automatically\r\nlaunched when the user logs in, is to register as a \r\nlogin item\r\n.\r\nIn the context of this blog post, \"persistence\" is defined as a way for a binary or application to 'register'\r\nwith the OS in order to be automatically executed when the system is rebooted (and/or when the user\r\nlogs in).\r\nThere are two 'types' of login items:\r\ntraditional\r\nmodern/sandboxed\r\nTraditional login items are the focus of this blog post (specifically how to programmatically detect when new login item is\r\nadded). These are the items one can see in UI of the \r\nSystem Preferences\r\n application (under \r\nUsers \u0026 Groups\r\n, \r\nLogin Items\r\n):\r\nOn the other hand, 'modern' login items, are designed to work with applications distributed via the Mac App Store.\r\nFound within the \r\n/Library/loginItems\r\n directory of application bundles, though they may be persistent and thus\r\nautomatically launched by the OS, a list of such items do not show up in UI.\r\nLuckily KnockKnock will enumerate such login items for you:\r\n© 2018 objective-see llc support us!  ✉\r\nAloha!\r\nSign up for our newsletter and\r\nnotifications about new tools \u0026\r\nblog posts?\r\nEmail Address\r\nSubscribe\r\nhttps://objective-see.com/blog/blog_0x31.html\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://objective-see.com/blog/blog_0x31.html"
	],
	"report_names": [
		"blog_0x31.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434748,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d205f006ad93c0104bed9ec9faa57049ab561d75.pdf",
		"text": "https://archive.orkl.eu/d205f006ad93c0104bed9ec9faa57049ab561d75.txt",
		"img": "https://archive.orkl.eu/d205f006ad93c0104bed9ec9faa57049ab561d75.jpg"
	}
}