Unusual modification or creation of loginwindow-related plist files in '~/Library/Preferences/ByHost' correlated with unauthorized application paths and execution upon login.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of process launched via loginwindow session restore |
| File Modification (DC0061) | fs:filesystem | Modification or creation of files matching 'com.apple.loginwindow.*.plist' in ~/Library/Preferences/ByHost |
| Logon Session Metadata (DC0088) | macos:unifiedlog | LoginWindow context with associated PID linked to reopened plist paths |
| File Metadata (DC0059) | macos:endpointsecurity | es_event_file_rename_t or es_event_file_write_t |
| Field | Description |
|---|---|
| UserContext | Restrict to targeted users or unexpected users writing to plist |
| FilePathPattern | Allow tuning for alternative persistence paths or directory redirection |
| TimeWindow | Correlate plist write and process execution within logon window |
| BinaryAnomalyScore | Optional scoring of launched binary based on code signing, entropy, and known safe apps |