Launchd

macOS launch daemons (launchd) are the most common way to register applications for persistence on macOS. launchd can be registered for a singler user or system wide. artemis will try to parse all knownlaunchd locations by default.

• /Users/%/Library/LaunchDaemons/
• /Users/%/Library/LaunchAgents/
• /System/Library/LaunchDaemons/
• /Library/Apple/System/Library/LaunchDaemons/
• /System/Library/LaunchAgents/
• /Library/Apple/System/Library/LaunchAgents/

Other Parsers:

• Any tool that can parse a plist file

References:

• launchd
• man launchd.plist

TOML Collection

system = "macos"

[output]
name = "launchd_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "abdc"
collection_id = 1
output = "local"

[[artifacts]]
artifact_name = "launchd"
[artifacts.launchd]
# Optional
# alt_file = ""

Collection Options

• alt_file Use an alternative Launchd file. This configuration is optional. By default artemis will read all Launchd Daemons and Agents

Output Structure

An array of Launchd entries

export interface Launchd {
  /**JSON representation of launchd plist contents */
  launchd_data: Record<string, unknown>;
  /**Full path of the plist file */
  plist_path: string;
  /**Created timestamp for plist file */
  created: string;
  /**Modified timestamp for plist file */
  modified: string;
  /**Accessed timestamp for plist file */
  accessed: string;
  /**Changed timestamp for plist file */
  changed: string;
}