MITRE ATT&CK Technique
Persistence T1037.002
Description

Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev) Adversaries can add or insert a path to a malicious script in the <code>com.apple.loginwindow.plist</code> file, using the <code>LoginHook</code> or <code>LogoutHook</code> key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter) **Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001)

Supported Platforms
macOS
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-01-10T16:01:15.995Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may use a Login Hook to establish persistence '
                'executed upon user logon. A login hook is a plist file that '
                'points to a specific script to execute with root privileges '
                'upon user logon. The plist file is located in the '
                '<code>/Library/Preferences/com.apple.loginwindow.plist</code> '
                'file and can be modified using the <code>defaults</code> '
                'command-line utility. This behavior is the same for logout '
                'hooks where a script can be executed upon user logout. All '
                'hooks require administrator permissions to modify or create '
                'hooks.(Citation: Login Scripts Apple Dev)(Citation: '
                'LoginWindowScripts Apple Dev) \n'
                '\n'
                'Adversaries can add or insert a path to a malicious script in '
                'the <code>com.apple.loginwindow.plist</code> file, using the '
                '<code>LoginHook</code> or <code>LogoutHook</code> key-value '
                'pair. The malicious script is executed upon the next user '
                'login. If a login hook already exists, adversaries can add '
                'additional commands to an existing login hook. There can be '
                'only one login and logout hook on a system at a '
                'time.(Citation: S1 macOs Persistence)(Citation: Wardle '
                'Persistence Chapter)\n'
                '\n'
                '**Note:** Login hooks were deprecated in 10.11 version of '
                'macOS in favor of [Launch '
                'Daemon](https://attack.mitre.org/techniques/T1543/004) and '
                '[Launch '
                'Agent](https://attack.mitre.org/techniques/T1543/001) ',
 'external_references': [{'external_id': 'T1037.002',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1037/002'},
                         {'description': 'Apple. (2016, September 13). '
                                         'Customizing Login and Logout. '
                                         'Retrieved April 1, 2022.',
                          'source_name': 'Login Scripts Apple Dev',
                          'url': 'https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html'},
                         {'description': 'Apple. (n.d.). LoginWindowScripts. '
                                         'Retrieved April 1, 2022.',
                          'source_name': 'LoginWindowScripts Apple Dev',
                          'url': 'https://developer.apple.com/documentation/devicemanagement/loginwindowscripts'},
                         {'description': 'Patrick Wardle. (n.d.). Chapter 0x2: '
                                         'Persistence. Retrieved April 13, '
                                         '2022.',
                          'source_name': 'Wardle Persistence Chapter',
                          'url': 'https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf'},
                         {'description': 'Stokes, P. (2019, July 17). How '
                                         'Malware Persists on macOS. Retrieved '
                                         'March 27, 2020.',
                          'source_name': 'S1 macOs Persistence',
                          'url': 'https://www.sentinelone.com/blog/how-malware-persists-on-macos/'}],
 'id': 'attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'}],
 'modified': '2025-10-24T17:48:42.963Z',
 'name': 'Login Hook',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['macOS'],
 'x_mitre_version': '2.0'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About