KQL Search

Query Details

HomeAI ToolsDevice Query

Mac OS Login Window Hooks Authorization Plugins

Query

# *macOS LoginWindow Hooks & Authorization Plugins*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1556 | Modify Authentication Process | https://attack.mitre.org/techniques/T1556 |


#### Description
This rule detects the creation or modification of files within specific macOS directories associated with LoginWindow hooks and Authorization Plugins. These locations are commonly abused by adversaries to establish persistence or elevate privileges by injecting malicious code that executes during the login process. The rule specifically looks for file events in '/Library/Security/SecurityAgentPlugins/', '/System/Library/CoreServices/SecurityAgentPlugins/', '/Library/Security/SecurityAgentPlugins.bundle', or any file activity within a 'loginwindow' path. It excludes activities initiated by legitimate installers and software updaters to reduce false positives. Additionally, it filters for files with low global prevalence, indicating potentially suspicious or custom binaries.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://securitylab.github.com/research/macos-login-items/
- https://objective-see.org/blog/blog_0x31.html


## Defender XDR
```KQL
let ExcludedBinaries = dynamic(["acrappyAPP"]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (
    "/Library/Security/SecurityAgentPlugins/",
    "/System/Library/CoreServices/SecurityAgentPlugins/",
    "/Library/Security/SecurityAgentPlugins.bundle"
    )
    or (FolderPath contains "/loginwindow" and ActionType in ("FileCreated", "FileModified"))
| where InitiatingProcessFileName !in ("installer", "softwareupdated", "installd")
| invoke FileProfile(SHA1)
| where GlobalPrevalence < 10000

```

Explanation

This query is designed to detect potentially malicious activities on macOS systems related to the login process. It focuses on identifying the creation or modification of files in specific directories that are known to be targeted by attackers to maintain persistence or gain elevated privileges. These directories include paths associated with LoginWindow hooks and Authorization Plugins.

Here's a simplified breakdown of the query:

  1. Time Frame: It looks at file events that have occurred in the last 24 hours.

  2. Targeted Directories: The query monitors specific directories:

    • /Library/Security/SecurityAgentPlugins/
    • /System/Library/CoreServices/SecurityAgentPlugins/
    • /Library/Security/SecurityAgentPlugins.bundle
    • Any path containing "loginwindow" where files are created or modified.

  3. Exclusions: It excludes file activities initiated by known legitimate processes such as "installer", "softwareupdated", and "installd" to minimize false positives.

  4. Suspicious Files: It further filters for files that have low global prevalence, meaning they are not commonly found across many systems, which could indicate suspicious or custom binaries.

  5. Purpose: The goal is to identify unauthorized changes that could suggest an attacker is trying to inject malicious code into the login process to maintain access or escalate privileges.

Overall, this query helps security teams detect and investigate potential security threats related to macOS authentication processes.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: December 31, 2025

Tables

DeviceFileEvents

Keywords

Devices

Operators

letdynamichas_anycontainsin!ininvokewhereor>ago<

Actions