IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Persistence via Login Hook
editPotential Persistence via Login Hook
editIdentifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- macOS
- Threat Detection
- Persistence
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.
Rule query
editevent.category:"file" and not event.type:"deletion" and file.name:"com.apple.loginwindow.plist" and process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or "iMazing Profile Editor" ))
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
-
Sub-technique:
- Name: Plist Modification
- ID: T1547.011
- Reference URL: https://attack.mitre.org/techniques/T1547/011/