Logout Hooks
Overview
Section titled “Overview”Evidence: Logout Hooks
Description: Collect Logout Hooks
Category: System
Platform: macos
Short Name: lohks
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Logout Hooks are a legacy macOS mechanism that allows administrators to specify scripts or applications to be executed automatically when a user logs out. Similar to Login Hooks, these are configured in /Library/Preferences/com.apple.loginwindow.plist and execute with user privileges. While deprecated, Logout Hooks can be exploited for data exfiltration, log clearing, evidence destruction, or maintaining persistence by cleaning up traces during logout.
Data Collected
Section titled “Data Collected”This collector gathers structured data about logout hooks.
Collection Method
Section titled “Collection Method”This collector reads the com.apple.loginwindow.plist file and extracts the LogoutHook key value, which specifies the path to the executable or script that runs at logout. It captures file metadata including modification, access, and change timestamps to help establish when the hook was configured or modified.
Forensic Value
Section titled “Forensic Value”Logout Hooks are particularly valuable for detecting anti-forensic activities, as malicious actors often use logout scripts to clear logs, delete artifacts, or exfiltrate data before system shutdown. Monitoring Logout Hooks helps identify data exfiltration mechanisms, log tampering, and evidence destruction attempts. Unauthorized Logout Hooks may indicate advanced persistent threats attempting to cover their tracks or maintain operational security.