| ID | Name |
|---|---|
| T1037.001 | Logon Script (Windows) |
| T1037.002 | Login Hook |
| T1037.003 | Network Logon Script |
| T1037.004 | RC Scripts |
| T1037.005 | Startup Items |
Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.[1][2]
Adversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.[3][4]
Note: Login hooks were deprecated in 10.11 version of macOS in favor of Launch Daemon and Launch Agent
| ID | Mitigation | Description |
|---|---|---|
| M1022 | Restrict File and Directory Permissions |
Restrict write access to logon scripts to specific administrators. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands with arguments to install or modify login hooks. |
| DS0022 | File | File Creation |
Monitor for the creation of and/or changes to login hook files ( |
| File Modification |
Monitor for changes to login hook files ( |
||
| DS0009 | Process | Process Creation |
Monitor for processes and/or command-lines to install or modify login hooks, as well as processes spawned at user login by these hooks. |