View Other Properties

Contents

View Other Properties

How to List Launchd Entries Across All Macs

Using Kolide, you can easily view and query Mac Launchd Entries across your fleet.

Introduction

launchd is a component of macOS has two main tasks. The first is to assist in fully booting up macOS, and the second is to automatically load apps and services and ensure they remain running.

Kolide's agent uses launchd to ensure that Kolide can communicate with your device as soon as possible after it boots.

What Mac Launchd Entry Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac Launchd Entries from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac Launchd Entries Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

disabled Text

Skip loading this daemon or agent on boot

groupname Text

Run this daemon or agent as this group

inetd_compatibility Text

Run this daemon or agent as it was launched from inetd

keep_alive Text

Should the process be restarted if killed

label Text

Daemon or agent service name

name Text

File name of plist (used by launchd)

on_demand Text

Deprecated key, replaced by keep_alive

path Text

Path to daemon or agent plist

process_type Text

Key describes the intended purpose of the job

program Text

Path to target program

program_arguments Text

Command line arguments passed to program

queue_directories Text

Similar to watch_paths but only with non-empty directories

root_directory Text

Key used to specify a directory to chroot to before launch

run_at_load Text

Should the program run on launch load

start_interval Text

Frequency to run in seconds

start_on_mount Text

Run daemon or agent every time a filesystem is mounted

stderr_path Text

Pipe stderr to a target path

stdout_path Text

Pipe stdout to a target path

username Text

Run this daemon or agent as this username

watch_paths Text

Key that launches daemon or agent if path is modified

working_directory Text

Key used to specify a directory to chdir to before launch

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Review non-Apple launchd entries that exhibit persistence mechanisms associated with malware, such as auto-restarting
Kolide SQL
SELECT 
name, program_arguments, COUNT(*) AS frequency
FROM mac_launchd_entries 
WHERE label NOT ILIKE 'com.apple.%'
  AND run_at_load = '1'
  AND keep_alive = '1'
GROUP BY name, program_arguments
ORDER BY frequency DESC
Example Results
name frequency program_arguments
com.googlecode.munki.app_usage_monitor.plist 13 /usr/local/munki/app_usage_monitor
com.kolide.corp.osquery.plist 10 /usr/local/kolide-corp/bin/osqueryd --flagfile=/etc/kolide-corp/kolide.flags
com.focusrite.ControlServer.plist 9 /Applications/Focusrite Control.app/Contents/Library/LoginItems/FocusriteControlServer.app/Contents/MacOS/FocusriteControlServer daemon
homebrew.mxcl.postgresql.plist 7 /opt/homebrew/opt/postgresql/bin/postgres -D /opt/homebrew/var/postgres
com.mice.360Daemon.plist 5 /Library/Application Support/MICE/360Daemon.app/Contents/MacOS/360Daemon

Why Should I Collect Mac Launchd Entries?

Due to the capabilities of launchd to start various 3rd party services/processes when a device is booted, it is a frequent target of attack for malware authors. Configuring a malicious process with a launchd entry which has persistence mechanisms enabled such as: keep_alive = true or run_at_load = true allows the malware to run, and restart itself without the user's awareness.

For these reasons it is a good practice for Security and IT teams to review and audit the software configured in launchd to identify potential malware infections or undesirable software persistence mechanisms.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

launchd configuration provides basic information (path of software, program arguments, etc.) about some software installed on your device. This could potentially include software used for personal or sensitive reasons, for example:

  • eCigarette-Vaporizer-Control.app
  • Adult-Toy-Control.app
  • Fertility-Window-Tracker.app
  • Torrenting-Software.app

When you use Kolide to list Mac Launchd Entry data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed by employees through Slack or Google Workspace account.

Share this story:

Related Device Properties:

New
Windows Programs
software
New
Windows Microsoft Licenses
software, licenses
New
Windows Chocolatey Packages
software, packages, developers
View full list of Kolide's Device Properties
Try Kolide Free
Try Kolide Free