T1037.002 Login Hook
Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.12
Adversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.43
Note: Login hooks were deprecated in 10.11 version of macOS in favor of Launch Daemon and Launch Agent
| Item | Value |
|---|---|
| ID | T1037.002 |
| Sub-techniques | T1037.001, T1037.002, T1037.003, T1037.004, T1037.005 |
| Tactics | TA0003, TA0004 |
| Platforms | macOS |
| Version | 2.0 |
| Created | 10 January 2020 |
| Last Modified | 20 April 2022 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1022 | Restrict File and Directory Permissions | Restrict write access to logon scripts to specific administrators. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Creation |
| DS0009 | Process | Process Creation |
References
-
Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022. ↩
-
Apple. (n.d.). LoginWindowScripts. Retrieved April 1, 2022. ↩
-
Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved April 13, 2022. ↩
-
Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved March 27, 2020. ↩