Description
Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)
Adversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)
Note: Login hooks were deprecated in 10.11 version of macOS in favor of Launch Daemon and Launch Agent
Platforms
Mitigations (1)
Restrict File and Directory PermissionsM1022
Restrict write access to logon scripts to specific administrators.
References
- Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022.
- Apple. (n.d.). LoginWindowScripts. Retrieved April 1, 2022.
- Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved April 13, 2022.
- Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved March 27, 2020.
Frequently Asked Questions
What is T1037.002 (Login Hook)?
T1037.002 is a MITRE ATT&CK technique named 'Login Hook'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The p...
How can T1037.002 be detected?
Detection of T1037.002 (Login Hook) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1037.002?
There are 1 documented mitigations for T1037.002. Key mitigations include: Restrict File and Directory Permissions.
Which threat groups use T1037.002?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.