Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/puffyCid/macos-loginitems
A library to parse macOS LoginItems
https://github.com/puffyCid/macos-loginitems
incident-response macos rust
Last synced: about 2 months ago
JSON representation
A library to parse macOS LoginItems
- Host: GitHub
- URL: https://github.com/puffyCid/macos-loginitems
- Owner: puffyCid
- License: mit
- Created: 2022-02-23T00:15:08.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-08-28T05:00:18.000Z (about 2 years ago)
- Last Synced: 2024-06-26T00:34:38.615Z (3 months ago)
- Topics: incident-response, macos, rust
- Language: Rust
- Homepage:
- Size: 38.1 KB
- Stars: 15
- Watchers: 2
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# macos-loginitems
A simple macOS LoginItems parser (and library) written in Rust!
LoginItems are a form of persistence on macOS. They are triggered when a user logs into a system. This simple library lets you parse this data.LoginItems can be created for each macOS user, it can also be embedded in an Application.
# Use Case
Parsing LoginItems on a macOS system is mainly useful for forensic investigtions. It can be used to identify possibly persistence on a system.# LoginItems Data
LoginItems contain a variety of intersting data such as:
1. Path to target binary
2. Target creation time
3. Volume UUID
4. Volume creation
5. Localized NameLoginItems can exist per user at:
* `/Users//Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm`And macOS Applications can bundle LoginItems which should be registered at:
* `/var/db/com.apple.xpc.launchd/loginitems..plist`
Both files are PLIST files. However, `backgrounditems.btm` is a binary PLIST file that contains macOS Bookmark data. The Bookmark data contains the LoginItem# References
http://michaellynn.github.io/2015/10/24/apples-bookmarkdata-exposed/
https://mac-alias.readthedocs.io/en/latest/bookmark_fmt.html
https://www.sentinelone.com/blog/how-malware-persists-on-macos/
https://theevilbit.github.io/beyond/beyond_0003/# Other Bookmark/LoginItems parsing tools
https://github.com/al45tair/mac_alias
https://github.com/strozfriedberg/plistutils
https://github.com/objective-see/KnockKnock