The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

macOS 3rd Party launchd binaries + hashes

Description: This query gets all non-Apple launchd items (remember that /System should be immutable due to SIP, and will be read-only in Catalina), finds any that have program arguments or launch a binary, finds that binary from the launchd plist, and hashes that for upload to VirusTotal (MD5)

What The Data Shows: hashed third-party launchd binaries, their path, the plist, the run at load and keepalive arguments if present, and the md5 hash of the binary launched.

SQL:

WITH plist_bin AS
  (SELECT DISTINCT value, path FROM plist
  WHERE path IN
    (SELECT DISTINCT path from launchd
    WHERE path NOT LIKE '/System/Library/%')
    AND (key = 'Program' OR
      (key = 'ProgramArguments' AND value LIKE '/%')
    )
)
SELECT l.path, pb.value as binary, l.run_at_load as runatload,
l.keep_alive as keepalive, l.username, h.md5
FROM launchd l
INNER JOIN plist_bin pb ON (pb.path=l.path)
INNER JOIN hash h ON (pb.value = h.path)
WHERE l.path NOT LIKE '/System/Library/%';

 

2 Comments
kbrawley
Community Manager
Community Manager

Hi @Magneto thanks for another contribution! Once we vet your query, if it runs as expected we'll mark it as CB Approved.

Thanks again!

jnelson
Carbon Black Employee
Status changed to: Approved

Thanks @Magneto !