T1037.002 - Boot or Logon Initialization Scripts: Logon Script (Mac)
Description from ATT&CK (opens in a new tab)
Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the
/Library/Preferences/com.apple.loginwindow.plistfile and can be modified using thedefaultscommand-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)Adversaries can add or insert a path to a malicious script in the
com.apple.loginwindow.plistfile, using theLoginHookorLogoutHookkey-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)Note: Login hooks were deprecated in 10.11 version of macOS in favor of Launch Daemon (opens in a new tab) and Launch Agent (opens in a new tab)
Atomic Tests
Atomic Test #1 - Logon Scripts - Mac
Mac logon script
Supported Platforms: macOS
auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4
Run it with these steps!
-
Create the required plist file
sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
-
Populate the plist with the location of your shell script
sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
-
Create the required plist file in the target user's Preferences directory
touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
-
Populate the plist with the location of your shell script
defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh