Home
ATT&CK Techniques
T1037.002 Login Hook

T1037.002 Login Hook Mappings

Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)

Adversaries can add or insert a path to a malicious script in the <code>com.apple.loginwindow.plist</code> file, using the <code>LoginHook</code> or <code>LogoutHook</code> key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)

Note: Login hooks were deprecated in 10.11 version of macOS in favor of Launch Daemon and Launch Agent

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-3	Access Enforcement	Protects	T1037.002	Logon Script (Mac)
CA-7	Continuous Monitoring	Protects	T1037.002	Logon Script (Mac)
CM-2	Baseline Configuration	Protects	T1037.002	Logon Script (Mac)
CM-6	Configuration Settings	Protects	T1037.002	Logon Script (Mac)
SI-3	Malicious Code Protection	Protects	T1037.002	Logon Script (Mac)
SI-4	System Monitoring	Protects	T1037.002	Logon Script (Mac)
SI-7	Software, Firmware, and Information Integrity	Protects	T1037.002	Logon Script (Mac)
attribute.integrity.variety.Modify configuration	Modified configuration or services	related-to	T1037.002	Boot or Logon Initialization Scripts: Logon Script (Mac)