Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook)Adversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary.
Mac logon script
Supported Platforms: macOS
-
Create the required plist file
sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
-
Populate the plist with the location of your shell script
sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
-
Create the required plist file in the target user's Preferences directory
touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
-
Populate the plist with the location of your shell script
defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh