Detection of persistent login hooks configured via defaults or plist modifications that result in execution of scripts or binaries at user login, breaking expected parent-child process lineage.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | loginwindow or tccd-related entries |
| File Modification (DC0061) | fs:plist | /var/root/Library/Preferences/com.apple.loginwindow.plist |
| Field | Description |
|---|---|
| login_hook_path | Path of script or binary assigned to login hook; may vary by environment |
| user_context | Login hook may be applied to specific user accounts; tune by privilege level |
| time_window | Correlate plist file modification to execution within a short timeframe |
| parent_process_name | Expected parent process (e.g., loginwindow); anomalies can indicate masquerading |