Built off the open source project Osquery
Description: This query gets all non-Apple launchd items (remember that /System should be immutable due to SIP, and will be read-only in Catalina), finds any that have program arguments or launch a binary, finds that binary from the launchd plist, and hashes that for upload to VirusTotal (MD5)
What The Data Shows: hashed third-party launchd binaries, their path, the plist, the run at load and keepalive arguments if present, and the md5 hash of the binary launched.
SQL:
WITH plist_bin AS
(SELECT DISTINCT value, path FROM plist
WHERE path IN
(SELECT DISTINCT path from launchd
WHERE path NOT LIKE '/System/Library/%')
AND (key = 'Program' OR
(key = 'ProgramArguments' AND value LIKE '/%')
)
)
SELECT l.path, pb.value as binary, l.run_at_load as runatload,
l.keep_alive as keepalive, l.username, h.md5
FROM launchd l
INNER JOIN plist_bin pb ON (pb.path=l.path)
INNER JOIN hash h ON (pb.value = h.path)
WHERE l.path NOT LIKE '/System/Library/%';
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.