Skip to content

Latest commit

 

History

History
45 lines (20 loc) · 1.74 KB

T1037.002.md

File metadata and controls

45 lines (20 loc) · 1.74 KB

T1037.002 - Logon Script (Mac)

Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook)

Adversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary.

Atomic Tests


Atomic Test #1 - Logon Scripts - Mac

Mac logon script

Supported Platforms: macOS

Run it with these steps!

  1. Create the required plist file

    sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist

  2. Populate the plist with the location of your shell script

    sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh

  3. Create the required plist file in the target user's Preferences directory

    touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist

  4. Populate the plist with the location of your shell script

    defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh