Query Details

Mac OS Login Window Hooks Authorization Plugins

Query

let ExcludedBinaries = dynamic(["acrappyAPP"]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (
    "/Library/Security/SecurityAgentPlugins/",
    "/System/Library/CoreServices/SecurityAgentPlugins/",
    "/Library/Security/SecurityAgentPlugins.bundle"
    )
    or (FolderPath contains "/loginwindow" and ActionType in ("FileCreated", "FileModified"))
| where InitiatingProcessFileName !in ("installer", "softwareupdated", "installd")
| invoke FileProfile(SHA1)
| where GlobalPrevalence < 10000

About this query

Explanation

This query is designed to detect potentially malicious activities on macOS systems related to the login process. It focuses on identifying the creation or modification of files in specific directories that are known to be targeted by attackers to maintain persistence or gain elevated privileges. These directories include paths associated with LoginWindow hooks and Authorization Plugins.

Here's a simplified breakdown of the query:

  1. Time Frame: It looks at file events that have occurred in the last 24 hours.

  2. Targeted Directories: The query monitors specific directories:

    • /Library/Security/SecurityAgentPlugins/
    • /System/Library/CoreServices/SecurityAgentPlugins/
    • /Library/Security/SecurityAgentPlugins.bundle
    • Any path containing "loginwindow" where files are created or modified.
  3. Exclusions: It excludes file activities initiated by known legitimate processes such as "installer", "softwareupdated", and "installd" to minimize false positives.

  4. Suspicious Files: It further filters for files that have low global prevalence, meaning they are not commonly found across many systems, which could indicate suspicious or custom binaries.

  5. Purpose: The goal is to identify unauthorized changes that could suggest an attacker is trying to inject malicious code into the login process to maintain access or escalate privileges.

Overall, this query helps security teams detect and investigate potential security threats related to macOS authentication processes.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: December 31, 2025

Tables

DeviceFileEvents

Keywords

Devices

Operators

letdynamichas_anycontainsin!ininvokewhereor>ago<

MITRE Techniques

Actions

GitHub