New

The executive guide to generative AI

Read more

Potential Persistence via Login Hook

edit

Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit

Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.

Rule query

edit
event.category:"file" and not event.type:"deletion" and
file.name:"com.apple.loginwindow.plist" and process.name:(* and not
(systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync
or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))

Threat mapping

edit

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback