← Back to Explore
T1037.002
Login Hook
Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permiss...
macOS
2
Detections
1
Sources
0
Threat Actors
BY SOURCE
2elastic
PROCEDURES (2)
Script Execution Monitoring1 detections
Auto-extracted: 1 detections for script execution monitoring
Process Creation Monitoring1 detections
Auto-extracted: 1 detections for process creation monitoring