Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0244: Detection Strategy for Login Hook Persistence on macOS

This detection strategy is intended to help identify macOS Login Hook persistence, a mechanism where logon-related configuration can cause a script to run...

EnterpriseDET0244Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is intended to help identify macOS Login Hook persistence, a mechanism where logon-related configuration can cause a script to run with elevated privileges when a user logs in. For leaders, the practical issue is not just malware persistence; it is whether the organization can prove that managed Macs are monitored for privileged startup/logon changes that could survive reboots and complicate incident recovery.

Executive priority

Prioritize this where macOS endpoints are material to business operations, executive users, developers, administrators, or regulated workflows. The decision value is to validate whether endpoint logging, privileged-change monitoring, and incident response playbooks can detect and investigate persistence tied to T1037.002 Login Hook. Because the ATT&CK detection strategy object has no official detection text, leaders should treat this as a coverage-validation item rather than evidence that a specific analytic is already defined.

Technical view

This object detects ATT&CK technique T1037.002, Login Hook, associated with persistence and privilege escalation on macOS. SOC and detection teams should validate visibility into changes involving the macOS loginwindow preference plist and related privileged configuration activity, including the process and user context responsible for changes. IR teams should ensure triage procedures can identify unexpected login or logout hook configuration and determine whether referenced scripts or files are legitimate administrative artifacts or suspicious persistence.

Likely telemetry

  • macOS endpoint file and configuration change telemetry for /Library/Preferences/com.apple.loginwindow.plist
  • Process execution telemetry showing utilities or administrative tools modifying loginwindow preferences
  • User and privilege context for configuration changes, especially administrator-level activity
  • Endpoint security or EDR events related to persistence, startup, or logon configuration changes
  • File metadata and script inventory for any artifacts referenced by login or logout hook configuration

Detection direction

  • Confirm whether macOS endpoints actually collect configuration-change events for loginwindow-related plist files; absence of this telemetry is the primary blind spot.
  • Tune detections around unexpected creation, modification, or reintroduction of login/logout hook configuration, with attention to administrator context because hooks require administrator permissions.
  • Correlate configuration changes with process execution and user identity to distinguish approved management activity from anomalous local or scripted changes.
  • Review false positives from legitimate endpoint management, IT automation, or legacy administrative scripts before escalating as malicious.
  • Use the relationship to T1037.002 to map alerts to persistence and privilege-escalation investigation workflows, not just generic file-change monitoring.

Mitigation priorities

  • Establish an approved baseline for macOS login/logout hook configuration and investigate deviations.
  • Restrict and audit administrator-level changes on macOS systems, since the related technique requires administrator permissions.
  • Ensure managed detection and IR workflows include review of macOS logon persistence locations during containment and recovery.
  • Maintain endpoint telemetry retention sufficient to determine when the configuration changed and which account or process made the change.
  • Document monitoring and response evidence for compliance or audit programs that require proof of endpoint persistence control coverage.
Analyst notes and limits

The supplied ATT&CK detection strategy has no official description or detection guidance, so this take is derived from the object name, external reference, and its relationship to T1037.002 Login Hook. The related technique description supports macOS scope, persistence and privilege-escalation relevance, the loginwindow plist location, and the administrator-permission requirement.

This summary does not assert active exploitation, attribution, prevalence, or guaranteed detection. ATT&CK did not provide specific analytics, data sources, platforms on the detection-strategy object itself, or mitigation text. Local validation is required to determine whether the organization collects the necessary macOS endpoint telemetry and whether observed hooks are authorized.

Official MITRE ATT&CK definition

Detection Strategy for Login Hook Persistence on macOS

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1037.002 Login Hook Sub-technique This object detects Login Hook.
Relationship explorer

All related ATT&CK context

detects · Technique T1037.002: Login Hook Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d790fdb51b4b6033...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d790fdb51b4b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0244
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use