Logout Hooks

Overview

Evidence: Logout Hooks Description: Collect Logout Hooks Category: System Platform: macos Short Name: lohks Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Logout Hooks are a legacy macOS mechanism that allows administrators to specify scripts or applications to be executed automatically when a user logs out. Similar to Login Hooks, these are configured in /Library/Preferences/com.apple.loginwindow.plist and execute with user privileges. While deprecated, Logout Hooks can be exploited for data exfiltration, log clearing, evidence destruction, or maintaining persistence by cleaning up traces during logout.

Data Collected

This collector gathers structured data about logout hooks.

Collection Method

This collector reads the com.apple.loginwindow.plist file and extracts the LogoutHook key value, which specifies the path to the executable or script that runs at logout. It captures file metadata including modification, access, and change timestamps to help establish when the hook was configured or modified.

Forensic Value

Logout Hooks are particularly valuable for detecting anti-forensic activities, as malicious actors often use logout scripts to clear logs, delete artifacts, or exfiltrate data before system shutdown. Monitoring Logout Hooks helps identify data exfiltration mechanisms, log tampering, and evidence destruction attempts. Unauthorized Logout Hooks may indicate advanced persistent threats attempting to cover their tracks or maintain operational security.