Identifies attempts to configure a macOS LoginHook via the defaults utility. LoginHooks enable automatic execution of a script or program upon user login and have historically been abused for persistence. Creation or modification of this setting may indicate an attempt to establish startup execution outside standard LaunchAgent mechanisms. The detection uses osquery results to surface processes that appear to configure LoginHooks by looking for commands involving defaults, write, loginwindow, and loginhook. The query collects contextual fields such as destination host, original_file_name, parent_process_id, and details about the process (name, path, exec, hash) and the user. A macro macos_loginhook_persistence_filter is applied to reduce noise and focus on relevant events. Deployment guidance notes that TA-OSquery must be deployed across indexers and universal forwarders to populate the osquery data models. The rule includes references to process auditing documentation and notes that false positives may occur in legacy environments; filtering adjustments may be required. The rule is aligned with MITRE ATT&CK technique T1037.002 (Login Hook).