T1037.002 Logon Script (Mac) Mappings

Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike Startup Items, a login hook executes as the elevated root user.(Citation: creating login hook)

Adversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1037.002 Logon Script (Mac)
CA-7 Continuous Monitoring Protects T1037.002 Logon Script (Mac)
CM-2 Baseline Configuration Protects T1037.002 Logon Script (Mac)
CM-6 Configuration Settings Protects T1037.002 Logon Script (Mac)
SI-3 Malicious Code Protection Protects T1037.002 Logon Script (Mac)
SI-4 System Monitoring Protects T1037.002 Logon Script (Mac)
SI-7 Software, Firmware, and Information Integrity Protects T1037.002 Logon Script (Mac)
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)