Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the
/Library/Preferences/com.apple.loginwindow.plist file and can be modified using the
defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.
Adversaries can add or insert a path to a malicious script in the
com.apple.loginwindow.plist file, using the
LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.
|M1022||Restrict File and Directory Permissions||
Restrict write access to logon scripts to specific administrators.
|ID||Data Source||Data Component||Detects|
Monitor executed commands with arguments to install or modify login hooks.
Monitor for the creation of and/or changes to login hook files (
Monitor for changes to login hook files (
Monitor for processes and/or command-lines to install or modify login hooks, as well as processes spawned at user login by these hooks.