T1037.002 Elastic Security · Elastic

Detect Login Hook in Elastic Security

Adversaries may use a Login Hook to establish persistence executed upon user logon on macOS. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located at /Library/Preferences/com.apple.loginwindow.plist and can be modified using the defaults command-line utility. Login hooks (LoginHook key) and logout hooks (LogoutHook key) both require administrator permissions to modify. Adversaries insert a path to a malicious script into the plist, which executes upon the next user login. Only one login and one logout hook can exist on a system at a time. Note: Login hooks were deprecated in macOS 10.11 in favor of Launch Daemons and Launch Agents, but they continue to function on newer systems.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1037 Boot or Logon Initialization Scripts
Sub-technique
T1037.002 Login Hook
Canonical reference
https://attack.mitre.org/techniques/T1037/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.category == "process" and
    event.type == "start" and
    process.name == "defaults" and
    process.args : "com.apple.loginwindow" and
    process.args : ("LoginHook", "LogoutHook")
  ) or
  (
    event.category == "file" and
    event.type in ("creation", "change") and
    file.path == "/Library/Preferences/com.apple.loginwindow.plist" and
    not process.name in ("mDNSResponder", "cfprefsd", "nsurlsessiond")
  )
high severity high confidence

Detects macOS Login Hook persistence (T1037.002) via two vectors: (1) execution of the 'defaults' command writing LoginHook or LogoutHook keys to the com.apple.loginwindow preference domain, and (2) direct file creation or modification of /Library/Preferences/com.apple.loginwindow.plist by unexpected processes. Uses Elastic Endpoint agent telemetry from macOS hosts via ECS-normalized process and file events.

Data Sources

Elastic Endpoint Security (macOS)Auditbeat (macOS file integrity monitoring)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*

False Positives & Tuning

  • MDM platforms (Jamf Pro, Mosyle, Kandji, Addigy) legitimately configuring or reading login hooks as part of device enrollment or profile application workflows
  • Legacy endpoint security agents (older Symantec, McAfee, Sophos) that historically registered login hooks for persistence of their own components before macOS 10.11 deprecated the mechanism
  • macOS Migration Assistant or Time Machine restore operations that replay the full contents of /Library/Preferences/ including loginwindow.plist from a backup containing an existing hook entry
Download portable Sigma rule (.yml)

Other platforms for T1037.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register Malicious Login Hook via defaults write

    Expected signal: macOS Unified Log entries for the 'defaults' process with arguments 'write /Library/Preferences/com.apple.loginwindow LoginHook /tmp/argus_login_hook_test.sh'. File modification event for /Library/Preferences/com.apple.loginwindow.plist. Syslog entries showing the defaults command execution. EDR process telemetry showing parent shell spawning defaults binary with loginwindow plist arguments.

  2. Test 2Register Logout Hook via defaults write

    Expected signal: macOS Unified Log entries showing defaults process execution with 'write', 'com.apple.loginwindow', and 'LogoutHook' arguments. File modification timestamp update on /Library/Preferences/com.apple.loginwindow.plist. Syslog entries capturing the command. EDR file write event for the plist file.

  3. Test 3Direct Plist Modification of loginwindow.plist via PlistBuddy

    Expected signal: macOS Unified Log entries for PlistBuddy process (/usr/libexec/PlistBuddy) accessing /Library/Preferences/com.apple.loginwindow.plist. File write/modification event for the plist. EDR file modification telemetry showing PlistBuddy as the modifying process. Note: 'defaults' command will NOT appear in logs for this variant — detections must also cover direct plist modification.

  4. Test 4Read Existing Login Hook to Identify Persistence (Discovery Phase)

    Expected signal: macOS Unified Log entries for 'defaults read' commands targeting com.apple.loginwindow. Multiple defaults process executions in rapid succession (read pattern vs. write pattern). If existing hook script was modified, file modification events for that script. Syslog entries showing defaults process activity.

Last updated: 2026-04-16 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1037.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1037Boot or Logon Initialization Scripts

Related Sub-techniques

T1037.001Logon Script (Windows)T1037.003Network Logon ScriptT1037.004RC ScriptsT1037.005Startup Items

Related Techniques

T1037Boot or Logon Initialization ScriptsT1543.001Launch AgentT1543.004Launch DaemonT1059.006PythonT1059.004Unix ShellT1222.002Linux and Mac File and Directory Permissions ModificationT1105Ingress Tool TransferT1078.003Local Accounts

Same Tactic: Persistence

Popular Detections