Skip to content

DET0244 Detection Strategy for Login Hook Persistence on macOS

Item Value
ID DET0244
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1037.002 (Login Hook)

Analytics

macOS

AN0682

Detection of persistent login hooks configured via defaults or plist modifications that result in execution of scripts or binaries at user login, breaking expected parent-child process lineage.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog loginwindow or tccd-related entries
File Modification (DC0061) fs:plist /var/root/Library/Preferences/com.apple.loginwindow.plist
Mutable Elements
Field Description
login_hook_path Path of script or binary assigned to login hook; may vary by environment
user_context Login hook may be applied to specific user accounts; tune by privilege level
time_window Correlate plist file modification to execution within a short timeframe
parent_process_name Expected parent process (e.g., loginwindow); anomalies can indicate masquerading