1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", 6 "from": "now-9m", 7 "index": [ 8 "auditbeat-*", 9 "logs-endpoint.events.*" 10 ], 11 "language": "kuery", 12 "license": "Elastic License v2", 13 "name": "Potential Persistence via Login Hook", 14 "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", 15 "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))\n", 16 "references": [ 17 "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js" 18 ], 19 "risk_score": 47, 20 "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", 21 "severity": "medium", 22 "tags": [ 23 "Elastic", 24 "Host", 25 "macOS", 26 "Threat Detection", 27 "Persistence" 28 ], 29 "threat": [ 30 { 31 "framework": "MITRE ATT&CK", 32 "tactic": { 33 "id": "TA0003", 34 "name": "Persistence", 35 "reference": "https://attack.mitre.org/tactics/TA0003/" 36 }, 37 "technique": [ 38 { 39 "id": "T1547", 40 "name": "Boot or Logon Autostart Execution", 41 "reference": "https://attack.mitre.org/techniques/T1547/", 42 "subtechnique": [ 43 { 44 "id": "T1547.011", 45 "name": "Plist Modification", 46 "reference": "https://attack.mitre.org/techniques/T1547/011/" 47 } 48 ] 49 } 50 ] 51 } 52 ], 53 "timestamp_override": "event.ingested", 54 "type": "query", 55 "version": 2 56} 57