Login Hooks

Overview

Evidence: Login Hooks Description: Collect Login Hooks Category: System Platform: macos Short Name: lihks Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Login Hooks are a legacy macOS persistence mechanism that allows administrators to specify scripts or applications to be executed automatically when a user logs in. These hooks are configured in /Library/Preferences/com.apple.loginwindow.plist and execute with the privileges of the logged-in user. While deprecated in favor of LaunchAgents, Login Hooks remain a viable persistence method for both legitimate administrative tasks and malicious activity.

Data Collected

This collector gathers structured data about login hooks.

Collection Method

This collector reads the com.apple.loginwindow.plist file and extracts the LoginHook key value, which specifies the path to the executable or script that runs at login. It also captures file metadata including modification, access, and change timestamps to help establish a timeline of hook configuration changes.

Forensic Value

Login Hooks are a critical persistence indicator and often abused by malware for maintaining access to compromised systems. Monitoring Login Hooks helps detect unauthorized persistence mechanisms, backdoors, and malicious scripts configured to execute at user login. The timestamps provide valuable timeline information for incident response. Unusual or unsigned executables in Login Hooks are strong indicators of compromise and should be investigated immediately.