this method is possibly still used by legacy enterprise management scripts. update filter macro to remove false positives.

Techniques

T1037.002

Sample rules

MacOS LoginHook Persistence

source: splunk
technicques:
- T1037.002

Description

Identifies attempts to configure a macOS LoginHook via the defaults utility. LoginHooks enable automatic execution of a script or program upon user login and have historically been abused for persistence. Creation or modification of this setting may indicate an attempt to establish startup execution outside standard LaunchAgent mechanisms.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.process = "*defaults *"
Processes.process = "*write*"
Processes.process = "*loginwindow*"
Processes.process = "*loginhook*"

by Processes.dest Processes.original_file_name Processes.parent_process_id
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id
   Processes.process_current_directory Processes.process_name
   Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `macos_loginhook_persistence_filter`