Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)
Adversaries can add or insert a path to a malicious script in the <code>com.apple.loginwindow.plist</code> file, using the <code>LoginHook</code> or <code>LogoutHook</code> key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)
Note: Login hooks were deprecated in 10.11 version of macOS in favor of Launch Daemon and Launch Agent
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-03 | Access Enforcement | Protects | T1037.002 | Login Hook |
| CM-02 | Baseline Configuration | Protects | T1037.002 | Login Hook |
| SI-03 | Malicious Code Protection | Protects | T1037.002 | Login Hook |
| SI-04 | System Monitoring | Protects | T1037.002 | Login Hook |
| SI-07 | Software, Firmware, and Information Integrity | Protects | T1037.002 | Login Hook |
| CM-06 | Configuration Settings | Protects | T1037.002 | Login Hook |
| CA-07 | Continuous Monitoring | Protects | T1037.002 | Login Hook |