Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1037.002: Login Hook

Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.[1][2]

Adversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.[3][4]

**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of Launch Daemon and Launch Agent

EnterpriseT1037.002Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Login Hook is a macOS persistence and privilege-escalation technique where a system login or logout hook causes a script to run with root privileges when a user logs on or off. For leaders, the practical issue is not just an old macOS feature: it is a high-value persistence location that can turn a single administrative change into repeat execution across user sessions. Because login hooks were deprecated in macOS 10.11 in favor of Launch Daemons and Launch Agents, any remaining use should be explainable, documented, and monitored.

Executive priority

Prioritize this as a macOS endpoint resilience and audit-control question: do teams know whether legacy login/logout hooks exist, who can change them, and whether changes are captured in evidence? The business risk is persistent privileged execution after logon, which can complicate incident containment and recovery. Security leaders should ask whether managed detection, endpoint hardening, and macOS administration standards cover legacy persistence mechanisms as well as newer Launch Daemon and Launch Agent paths.

Technical view

For SOC, detection engineering, and IR teams, validate visibility around /Library/Preferences/com.apple.loginwindow.plist and the LoginHook or LogoutHook key-value pairs. The technique requires administrator permissions to modify or create hooks, so investigation should correlate changes to this plist with privileged user activity and subsequent script execution at user logon or logout. Because only one login hook and one logout hook can exist at a time, defenders should review whether an existing legitimate hook has been altered to include unexpected commands. Relationship context indicates DET0244, Detection Strategy for Login Hook Persistence on macOS, detects this object, and M1022, Restrict File and Directory Permissions, mitigates it.

Likely telemetry

  • macOS file integrity or endpoint telemetry for /Library/Preferences/com.apple.loginwindow.plist
  • Command-line or process telemetry showing privileged modification of loginwindow preferences, including use of the defaults utility where collected
  • Privilege/admin activity logs associated with creation or modification of login/logout hooks
  • Endpoint process execution telemetry for scripts launched at user logon or logout
  • Configuration inventory showing presence, path, ownership, and permissions of LoginHook and LogoutHook values

Detection direction

  • Confirm whether DET0244-aligned logic exists for macOS systems and whether it covers both LoginHook and LogoutHook values.
  • Baseline legitimate login/logout hook usage; because the feature is deprecated, unexplained presence should be treated as higher review priority, while known administrative scripts should be documented to reduce false positives.
  • Alert on creation, modification, or unexpected path changes in /Library/Preferences/com.apple.loginwindow.plist, especially when followed by script execution at logon/logout.
  • Correlate hook changes with administrative authentication or privilege use; the ATT&CK description states administrator permissions are required.
  • Review existing hooks for added commands, not only newly created hooks, because adversaries may append to an existing hook.

Mitigation priorities

  • Apply M1022 principles: restrict file and directory permissions so only authorized administrators can modify sensitive loginwindow preference files and referenced scripts.
  • Remove unnecessary write permissions on sensitive files and directories associated with login/logout hook configuration and script locations.
  • Inventory and justify any legacy login/logout hook use; migrate legitimate administrative needs to supported macOS mechanisms where appropriate to the environment.
  • During incident response, inspect both the plist value and the referenced script content, ownership, and permissions before declaring persistence removed.
  • Maintain administrative change-control evidence for macOS persistence-relevant locations to support audit and recovery decisions.
Analyst notes and limits

This object is a macOS sub-technique of Boot or Logon Initialization Scripts and maps to persistence and privilege escalation. The ATT&CK description specifically identifies /Library/Preferences/com.apple.loginwindow.plist, LoginHook and LogoutHook keys, root execution at user logon/logout, administrator permission requirements, and deprecation in macOS 10.11. Relationship context provides one detection strategy, DET0244, and one mitigation, M1022.

The supplied ATT&CK object does not include official detection text, procedure examples, adversary attribution, or active exploitation claims. Local macOS version mix, endpoint telemetry depth, administrative tooling, and legitimate legacy hook usage must be validated before assessing exposure or detection coverage.

Official MITRE ATT&CK definition

Login Hook

Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.[1][2]

Adversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.[3][4]

**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of Launch Daemon and Launch Agent

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1037 Boot or Logon Initialization Scripts This object subtechnique of Boot or Logon Initialization Scripts.
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0244: Detection Strategy for Login Hook Persistence on macOS Enterprise mitigates · Mitigation M1022: Restrict File and Directory Permissions Enterprise subtechnique of · Technique T1037: Boot or Logon Initialization Scripts Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1022: Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.

On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`

File Integrity Monitoring (FIM):

- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.

Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.

- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
3c769ea45c6e05ed...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 3c769ea45c6e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Login Scripts Apple Dev

    Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022.

    Open source URL
  2. [2]
    LoginWindowScripts Apple Dev

    Apple. (n.d.). LoginWindowScripts. Retrieved April 1, 2022.

    Open source URL
  3. [3]
    S1 macOs Persistence

    Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved March 27, 2020.

    Open source URL
  4. [4]
    Wardle Persistence Chapter

    Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved April 13, 2022.

    Open source URL
  5. [5]
    mitre-attack T1037.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use