Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/puffyCid/macos-launchd

A library to parse macOS Launchd data
https://github.com/puffyCid/macos-launchd

incident-response macos rust

Last synced: about 2 months ago
JSON representation

A library to parse macOS Launchd data

Host: GitHub
URL: https://github.com/puffyCid/macos-launchd
Owner: puffyCid
License: mit
Created: 2022-02-25T04:43:03.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-08-28T05:03:07.000Z (about 2 years ago)
Last Synced: 2024-06-26T00:34:38.857Z (3 months ago)
Topics: incident-response, macos, rust
Language: Rust
Homepage:
Size: 7.81 KB
Stars: 4
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# macos-launchd
A simple macOS launchd parser (and library) written in Rust!
[launchd](https://en.wikipedia.org/wiki/Launchd) is a service management daemon for macOS.
This library/parser focuses on parsing common persistence mechanisms using launchd. Specifically:
* LaunchAgents
* LaunchDaemons

# Use Case
Parsing LaunchAgents and LaunchDaemons is mainly useful for forensic investigations. You can parse both artifacts to identify possible persistence locations.

# LaunchAgents/LaunchDaemons Data
Both LaunchAgents/LaunchDaemons are stored in PLIST files in a variety locations such as:
* `/System/Library/LaunchDaemons/`
* `/Library/launchdaemons/`
* `/Library/Apple/System/Library/LaunchDaemons/`
* `/Users//Library/LaunchAgents/`
* `/System/Library/LaunchAgents/`
* `/Library/Apple/System/Library/LaunchAgents/`

Both LaunchAgents/LaunchDaemons contain similar/same data. However, many features are optional. LaunchAgents/LaunchDaemons only have two required features. Some data includes:
* Label (Required according to Apple. However, not not all LaunchAgents/LaunchDaemons have a label)
* ProgramArguments (Required according to Apple. However, not not all LaunchAgents/LaunchDaemons have a label)

Some potential optional features:
* Program Path
* EnvironmentVariables
* LaunchEvents
* EnableTransactions

# References
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
http://technologeeks.com/docs/launchd.pdf
https://www.sentinelone.com/blog/how-malware-persists-on-macos/
man launchd.plist