← Library
splApache-2.0from splunk/security_content

MacOS LoginHook Persistence

Identifies attempts to configure a macOS LoginHook via the defaults utility. LoginHooks enable automatic execution of a script or program upon user login and have historically been abused for persistence. Creation or modification of this setting may indicate an attempt to establish startup execution outside standard LaunchAgent mechanisms.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/macos_loginhook_persistence.yml
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.process = "*defaults *"
Processes.process = "*write*"
Processes.process = "*loginwindow*"
Processes.process = "*loginhook*"

by Processes.dest Processes.original_file_name Processes.parent_process_id
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id
   Processes.process_current_directory Processes.process_name
   Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_loginhook_persistence_filter`
MacOS LoginHook Persistence · SPL rule | DetectionLint