This detection rule identifies the utilization of the 'defaults' command in macOS to set login or logout hooks—potentially malicious behavior intended for establishing persistence in an environment. By monitoring specific process executions, it aims to catch adversarial attempts to insert unauthorized code that executes at user logins or logouts. The rule specifically looks for instances where the 'defaults' command is invoked with arguments 'write' for either 'LoginHook' or 'LogoutHook', while deliberately excluding known legitimate scripts associated with system management, such as those utilized by JAMF. This approach mitigates the risk of false positives by ensuring that only suspicious activities are flagged for further investigation. The detection leverages Elastic's endpoint event logs and is part of a broader security framework designed to safeguard macOS systems against persistence threats. Investigating potential alerts involves thorough scrutiny of the executed processes, user account activities, and the content of any scripts associated with the 'defaults' command. The rule aims for the detection of unauthorized persistence mechanisms while allowing legitimate system behaviors to remain undisturbed.