T1037.002 Login Hook Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detection for T1037.002 - macOS Login Hook via Syslog/CommonSecurityLog ingested into Sentinel
// Covers: defaults write to loginwindow plist, direct plist modification, and suspicious script execution at login
let LoginHookPaths = dynamic([
  "/Library/Preferences/com.apple.loginwindow.plist",
  "com.apple.loginwindow"
]);
let LoginHookKeys = dynamic([
  "LoginHook",
  "LogoutHook"
]);
// Detection 1: Process events showing 'defaults' command modifying loginwindow plist
let DefaultsModification = Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has "defaults" and SyslogMessage has "com.apple.loginwindow"
| where SyslogMessage has_any ("LoginHook", "LogoutHook")
| extend CommandLine = extract(@"defaults\s+.+", 0, SyslogMessage)
| extend HookType = iff(SyslogMessage has "LoginHook", "LoginHook", "LogoutHook")
| extend ScriptPath = extract(@"(LoginHook|LogoutHook)\s+([/\w\-.]+)", 2, SyslogMessage)
| project TimeGenerated, Computer, SyslogMessage, CommandLine, HookType, ScriptPath,
          HostName, ProcessName
| extend DetectionType = "defaults_write_loginwindow";
// Detection 2: Direct file write to loginwindow plist
let PlistFileWrite = Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has "/Library/Preferences/com.apple.loginwindow.plist"
| where SyslogMessage has_any ("write", "open", "create", "truncate", "rename")
| project TimeGenerated, Computer, SyslogMessage, HostName, ProcessName
| extend DetectionType = "plist_file_modification"
| extend HookType = "unknown"
| extend ScriptPath = ""
| extend CommandLine = SyslogMessage;
// Detection 3: CommonSecurityLog (CEF) from macOS endpoint agents
let CEFLoginHook = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceEventClassID in ("process_create", "file_write", "file_create")
| where RequestURL has_any (LoginHookPaths) or Message has_any (LoginHookKeys)
| extend CommandLine = RequestURL
| extend HookType = iff(Message has "LoginHook", "LoginHook", iff(Message has "LogoutHook", "LogoutHook", "unknown"))
| extend ScriptPath = extract(@"(LoginHook|LogoutHook)[\s=]+([/\w\-.]+)", 2, Message)
| project TimeGenerated, Computer = DeviceName, SyslogMessage = Message, CommandLine,
          HookType, ScriptPath, HostName = DeviceName, ProcessName = SourceProcessName
| extend DetectionType = "cef_endpoint_agent";
// Union all detections
DefaultsModification
| union CEFLoginHook
| union PlistFileWrite
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Modification macOS Syslog CommonSecurityLog (CEF)

Required Tables

Syslog CommonSecurityLog

False Positives

MDM solutions (Jamf Pro, Mosyle, Kandji) legitimately writing LoginHook entries as part of managed configuration profiles and onboarding workflows
IT administrators manually configuring login scripts for legitimate enterprise purposes such as drive mapping or authentication setup
Security software or compliance agents that use login hooks for startup checks on older macOS versions (pre-10.11)
Migration scripts or imaging tools that configure loginwindow plist as part of macOS system setup or re-imaging processes

Splunk

spl

index=syslog OR index=mac_logs sourcetype="syslog" OR sourcetype="linux_secure" OR sourcetype="macos_secure"
| eval raw_lower = lower(_raw)
| where (match(raw_lower, "defaults") AND match(raw_lower, "com\.apple\.loginwindow"))
   OR match(raw_lower, "loginhook")
   OR match(raw_lower, "logouthook")
   OR (match(raw_lower, "loginwindow\.plist") AND match(raw_lower, "(write|create|open|truncate)"))
| eval HookType = case(
    match(raw_lower, "loginhook"), "LoginHook",
    match(raw_lower, "logouthook"), "LogoutHook",
    true(), "unknown"
  )
| eval DefaultsWrite = if(match(raw_lower, "defaults.*write.*loginwindow"), 1, 0)
| eval PlistDirectWrite = if(match(raw_lower, "loginwindow\.plist") AND match(raw_lower, "(write|create|truncate|rename)"), 1, 0)
| eval ScriptPath = coalesce(
    mvindex(split(rex(field=_raw, "(?i)(LoginHook|LogoutHook)\s+([/\w\-.]+)"), " "), 2),
    "unknown"
  )
| rex field=_raw "(?i)(?:defaults\s+write\s+[^\s]+\s+(?:Login|Logout)Hook\s+)(?<extracted_script>[/\w.\-]+)"
| eval SuspicionScore = DefaultsWrite + PlistDirectWrite
| where SuspicionScore > 0 OR HookType != "unknown"
| table _time, host, sourcetype, HookType, DefaultsWrite, PlistDirectWrite, extracted_script, SuspicionScore, _raw
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Modification macOS Syslog

Required Sourcetypes

syslog linux_secure

False Positives

MDM solutions (Jamf Pro, Mosyle, Kandji) legitimately writing LoginHook entries as part of managed configuration profiles and onboarding workflows
IT administrators manually configuring login scripts for legitimate enterprise purposes such as drive mapping or authentication setup
Security software or compliance agents that use login hooks for startup checks on older macOS versions (pre-10.11)
Migration scripts or imaging tools that configure loginwindow plist as part of macOS system setup or re-imaging processes

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and
    event.type == "start" and
    process.name == "defaults" and
    process.args : "com.apple.loginwindow" and
    process.args : ("LoginHook", "LogoutHook")
  ) or
  (
    event.category == "file" and
    event.type in ("creation", "change") and
    file.path == "/Library/Preferences/com.apple.loginwindow.plist" and
    not process.name in ("mDNSResponder", "cfprefsd", "nsurlsessiond")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (macOS) Auditbeat (macOS file integrity monitoring)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-*

False Positives

MDM platforms (Jamf Pro, Mosyle, Kandji, Addigy) legitimately configuring or reading login hooks as part of device enrollment or profile application workflows
Legacy endpoint security agents (older Symantec, McAfee, Sophos) that historically registered login hooks for persistence of their own components before macOS 10.11 deprecated the mechanism
macOS Migration Assistant or Time Machine restore operations that replay the full contents of /Library/Preferences/ including loginwindow.plist from a backup containing an existing hook entry

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  hostname AS Hostname,
  QIDNAME(qid) AS EventName,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN LOWER("UTF8(payload)") LIKE '%loginhook%' THEN 'LoginHook'
    WHEN LOWER("UTF8(payload)") LIKE '%logouthook%' THEN 'LogoutHook'
    ELSE 'unknown'
  END AS HookType,
  CASE
    WHEN LOWER("UTF8(payload)") LIKE '%defaults%write%loginwindow%' THEN 1
    ELSE 0
  END AS DefaultsWrite,
  CASE
    WHEN LOWER("UTF8(payload)") LIKE '%loginwindow.plist%'
     AND (LOWER("UTF8(payload)") LIKE '%write%'
       OR LOWER("UTF8(payload)") LIKE '%create%'
       OR LOWER("UTF8(payload)") LIKE '%truncate%'
       OR LOWER("UTF8(payload)") LIKE '%rename%') THEN 1
    ELSE 0
  END AS PlistDirectWrite,
  "UTF8(payload)" AS RawPayload
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN (
  'Apple OS X', 'Syslog', 'Universal DSM', 'macOS Unified Logging'
)
AND (
  (LOWER("UTF8(payload)") LIKE '%defaults%' AND LOWER("UTF8(payload)") LIKE '%com.apple.loginwindow%')
  OR LOWER("UTF8(payload)") LIKE '%loginhook%'
  OR LOWER("UTF8(payload)") LIKE '%logouthook%'
  OR (
    LOWER("UTF8(payload)") LIKE '%loginwindow.plist%'
    AND (
      LOWER("UTF8(payload)") LIKE '%write%'
      OR LOWER("UTF8(payload)") LIKE '%create%'
      OR LOWER("UTF8(payload)") LIKE '%truncate%'
      OR LOWER("UTF8(payload)") LIKE '%rename%'
    )
  )
)
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

macOS Syslog via QRadar Universal DSM Apple OS X log source macOS Unified Logging forwarded via syslog

Required Tables

events

False Positives

MDM enrollment scripts using 'defaults write com.apple.loginwindow' to apply legitimate IT policy configurations such as auto-login or screensaver lock settings that happen to appear in the same log stream as hook-related keywords
Security audit tooling (e.g., osquery, Munki) that reads loginwindow.plist for inventory or compliance checks, generating read-access log entries containing the plist path
Legitimate administrator shell scripts that invoke 'defaults' against com.apple.loginwindow for unrelated keys (e.g., RetriesUntilHint) whose log entries incidentally match the broad keyword filter

Sumo Logic CSE

sql

_sourceCategory=macos* OR _sourceCategory=*syslog* OR _sourceCategory=*osquery*
| where (contains(toLowerCase(_raw), "defaults") AND contains(toLowerCase(_raw), "com.apple.loginwindow"))
   OR contains(toLowerCase(_raw), "loginhook")
   OR contains(toLowerCase(_raw), "logouthook")
   OR (contains(toLowerCase(_raw), "loginwindow.plist") AND matches(_raw, "(?i)(write|create|open|truncate|rename)"))
| parse regex "(?i)(?:LoginHook|LogoutHook)\\s+(?<script_path>[/\\w.\\-]+)" nodrop
| eval hook_type = if(contains(toLowerCase(_raw), "loginhook"), "LoginHook",
    if(contains(toLowerCase(_raw), "logouthook"), "LogoutHook", "unknown"))
| eval defaults_write = if(matches(_raw, "(?i)defaults\\s+write\\s+[^\\s]*loginwindow"), 1, 0)
| eval plist_write = if(contains(toLowerCase(_raw), "loginwindow.plist") AND matches(_raw, "(?i)(write|create|truncate|rename)"), 1, 0)
| eval suspicion_score = defaults_write + plist_write + if(hook_type != "unknown", 1, 0)
| where hook_type != "unknown" OR defaults_write = 1 OR plist_write = 1
| fields _messageTime, _sourceHost, hook_type, defaults_write, plist_write, script_path, suspicion_score, _raw
| sort by _messageTime desc

high severity medium confidence

Data Sources

macOS syslog forwarded to Sumo Logic osquery process events (macOS) Sumo Logic Installed Collector on macOS endpoints

Required Tables

_sourceCategory=macos* _sourceCategory=*syslog* _sourceCategory=*osquery*

False Positives

MDM tools such as Jamf Pro running 'defaults write' commands against loginwindow for legitimate configuration payloads (e.g., com.apple.loginwindow DisableScreenLock) that generate log entries matching the keyword filter
osquery scheduled queries or fleet checks that read /Library/Preferences/com.apple.loginwindow.plist for compliance inventory, surfacing the plist path with read-access verbs in syslog
System administrators using PlistBuddy or python plistlib in maintenance scripts that touch loginwindow.plist for unrelated keys, which the regex captures due to broad plist path matching

Google Chronicle / SecOps

yaral

rule macos_login_hook_persistence_t1037_002 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects macOS Login Hook persistence via defaults write to loginwindow plist or direct plist modification (T1037.002)"
    severity = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1037.002"
    reference = "https://attack.mitre.org/techniques/T1037/002/"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.file.full_path, `.*\/defaults$`) and
      re.regex($e.target.process.command_line, `com\.apple\.loginwindow`) and
      (
        re.regex($e.target.process.command_line, `LoginHook`) or
        re.regex($e.target.process.command_line, `LogoutHook`)
      )
    )
    or
    (
      $e.metadata.event_type = "FILE_MODIFICATION" and
      $e.target.file.full_path = "/Library/Preferences/com.apple.loginwindow.plist"
    )
    or
    (
      $e.metadata.event_type = "FILE_CREATION" and
      $e.target.file.full_path = "/Library/Preferences/com.apple.loginwindow.plist"
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle macOS endpoint telemetry CrowdStrike Falcon via Chronicle integration Carbon Black via Chronicle integration Palo Alto Cortex XDR via Chronicle integration

Required Tables

UDM events (PROCESS_LAUNCH, FILE_MODIFICATION, FILE_CREATION)

False Positives

Jamf Pro or other MDM platforms executing 'defaults write' against com.apple.loginwindow as part of a configuration profile push or enrollment script that sets unrelated loginwindow keys (e.g., showInputMenu, RetriesUntilHint)
Corporate-sanctioned IT scripts that write to loginwindow.plist during system setup or imaging workflows, where the plist path appears in FILE_CREATION events from the restore toolchain
macOS system processes (cfprefsd, configd) performing background synchronization of preference domain caches that incidentally touch loginwindow.plist without adversarial intent

CrowdStrike LogScale (CQL)

cql

(#event_simpleName=ProcessRollup2 ImageFileName=/\/defaults$/ CommandLine=/com\.apple\.loginwindow/ CommandLine=/(LoginHook|LogoutHook)/)
OR (#event_simpleName=MacFileWritten FilePath=/\/Library\/Preferences\/com\.apple\.loginwindow\.plist/)
OR (#event_simpleName=MacFileCreated FilePath=/\/Library\/Preferences\/com\.apple\.loginwindow\.plist/)
| HookType := if(CommandLine = /LoginHook/, "LoginHook", if(CommandLine = /LogoutHook/, "LogoutHook", "FileMod"))
| DetectionVector := if(#event_simpleName = "ProcessRollup2", "defaults_write", "plist_direct_write")
| table([_time, ComputerName, UserName, CommandLine, FilePath, HookType, DetectionVector, #event_simpleName])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (macOS) Falcon ProcessRollup2 telemetry Falcon file system events (MacFileWritten, MacFileCreated)

Required Tables

ProcessRollup2 MacFileWritten MacFileCreated

False Positives

Falcon sensor self-registration or update workflows that interact with macOS preference domains, generating ProcessRollup2 events for system utilities that match broad command-line filters
Legitimate MDM agent processes (Jamf binary, Mosyle agent) invoking 'defaults' against com.apple.loginwindow during managed enrollment, which appear in Falcon telemetry with matching ImageFileName and CommandLine patterns
macOS system upgrade or recovery tooling (e.g., softwareupdate, startosinstall) that rewrites /Library/Preferences/ during OS installation phases, producing MacFileWritten events for loginwindow.plist as part of a larger preference migration

Login Hook

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections