Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike Startup Items, a login hook executes as the elevated root user.(Citation: creating login hook)
Adversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1037.002 | Logon Script (Mac) |
| CA-7 | Continuous Monitoring | Protects | T1037.002 | Logon Script (Mac) |
| CM-2 | Baseline Configuration | Protects | T1037.002 | Logon Script (Mac) |
| CM-6 | Configuration Settings | Protects | T1037.002 | Logon Script (Mac) |
| SI-3 | Malicious Code Protection | Protects | T1037.002 | Logon Script (Mac) |
| SI-4 | System Monitoring | Protects | T1037.002 | Logon Script (Mac) |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1037.002 | Logon Script (Mac) |
| attribute.integrity.variety.Modify configuration | Modified configuration or services | related-to | T1037.002 | Boot or Logon Initialization Scripts: Logon Script (Mac) |