Launchd

macOS launch daemons (launchd) are the most common way to register applications for persistence on macOS. launchd can be registered for a singler user or system wide. artemis will try to parse all knownlaunchd locations by default.

• /Users/%/Library/LaunchDaemons/
• /Users/%/Library/LaunchAgents/
• /System/Library/LaunchDaemons/
• /Library/Apple/System/Library/LaunchDaemons/
• /System/Library/LaunchAgents/
• /Library/Apple/System/Library/LaunchAgents/

Other Parsers:

• Any tool that can parse a plist file

References:

• launchd
• man launchd.plist

TOML Collection

system = "macos"

[output]
name = "launchd_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "abdc"
collection_id = 1
output = "local"

[[artifacts]]
artifact_name = "launchd"

Collection Options

• N/A

Output Structure

An array of Launchd entries

export interface Launchd {
  /**JSON representation of launchd plist contents */
  launchd_data: Record<string, unknown>;
  /**Full path of the plist file */
  plist_path: string;
}