title: Login Hook (T1037.002)
id: df00tech-t1037-002
status: experimental
description: "Adversaries may use a Login Hook to establish persistence executed upon user logon on macOS. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located at /Library/Preferences/com.apple.loginwindow.plist and can be modified using the defaults command-line utility. Login hooks (LoginHook key) and logout hooks (LogoutHook key) both require administrator permissions to modify. Adversaries insert a path to a malicious script into the plist, which executes upon the next user login. Only one login and one logout hook can exist on a system at a time. Note: Login hooks were deprecated in macOS 10.11 in favor of Launch Daemons and Launch Agents, but they continue to function on newer systems."
references:
  - https://attack.mitre.org/techniques/T1037/002/
  - https://df00tech.com/detections/T1037.002
author: df00tech
date: 2026/04/16
tags:
  - attack.t1037.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "MDM solutions (Jamf Pro, Mosyle, Kandji) legitimately writing LoginHook entries as part of managed configuration profiles and onboarding workflows"
  - IT administrators manually configuring login scripts for legitimate enterprise purposes such as drive mapping or authentication setup
  - Security software or compliance agents that use login hooks for startup checks on older macOS versions (pre-10.11)
  - Migration scripts or imaging tools that configure loginwindow plist as part of macOS system setup or re-imaging processes
level: high