From bb6265128b599849046553d67affcebb4d14d60c Mon Sep 17 00:00:00 2001
From: JeremyNGalloway <JeremyNGalloway@users.noreply.github.com>
Date: Wed, 21 Feb 2018 11:56:35 -0600
Subject: [PATCH] initial upload

---
 Mac/Persistence/Logon_Scripts.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 Mac/Persistence/Logon_Scripts.md

diff --git a/Mac/Persistence/Logon_Scripts.md b/Mac/Persistence/Logon_Scripts.md
new file mode 100644
index 00000000..57405b43
--- /dev/null
+++ b/Mac/Persistence/Logon_Scripts.md
@@ -0,0 +1,24 @@
+# Logon Scripts
+
+MITRE ATT&CK Technique: [T1037](https://attack.mitre.org/wiki/Technique/T1037)
+
+
+### Root level loginhook (executes for all users)
+
+Create the required plist file
+
+    sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
+    
+Populate the plist with the location of your shell script
+	
+    sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
+    
+### User level loginhook
+
+Create the required plist file in the target user's Preferences directory
+
+	touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
+
+Populate the plist with the location of your shell script
+
+	defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh