Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/puffyCid/macos-loginitems

A library to parse macOS LoginItems
https://github.com/puffyCid/macos-loginitems

incident-response macos rust

Last synced: about 2 months ago
JSON representation

A library to parse macOS LoginItems

Awesome Lists containing this project

README 

        
# macos-loginitems



A simple macOS LoginItems parser (and library) written in Rust!  

LoginItems are a form of persistence on macOS. They are triggered when a user logs into a system.  This simple library lets you parse this data.



LoginItems can be created for each macOS user, it can also be embedded in an Application. 



# Use Case

Parsing LoginItems on a macOS system is mainly useful for forensic investigtions. It can be used to identify possibly persistence on a system.  



# LoginItems Data

LoginItems contain a variety of intersting data such as:

1. Path to target binary

2. Target creation time

3. Volume UUID

4. Volume creation

5. Localized Name



LoginItems can exist per user at:

* `/Users//Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm`  



And macOS Applications can bundle LoginItems which should be registered at:

* `/var/db/com.apple.xpc.launchd/loginitems..plist`

Both files are PLIST files. However, `backgrounditems.btm` is a binary PLIST file that contains macOS Bookmark data. The Bookmark data contains the LoginItem



# References

http://michaellynn.github.io/2015/10/24/apples-bookmarkdata-exposed/  

https://mac-alias.readthedocs.io/en/latest/bookmark_fmt.html  

https://www.sentinelone.com/blog/how-malware-persists-on-macos/  

https://theevilbit.github.io/beyond/beyond_0003/  



# Other Bookmark/LoginItems parsing tools

https://github.com/al45tair/mac_alias  

https://github.com/strozfriedberg/plistutils  

https://github.com/objective-see/KnockKnock