logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

macOS LaunchDaemon's that keep running

Status: Approved Submitted by on ‎10-31-2019 05:51 AM

Description: macOS LaunchDaemon's

What The Data Shows: Find every macOS LaunchDaemon that launches an executable and keeps it running

SQL:

SELECT name, program || program_arguments AS executable
  FROM launchd
  WHERE (run_at_load = 1 AND keep_alive = 1)
  AND (program != '' OR program_arguments != ''); 

 Source: https://github.com/osquery/osquery

Comment
1 Comment
esullivan
Carbon Black Employee
‎10-31-2019 06:43 AM
‎10-31-2019 06:43 AM
Status changed to: Approved

Thank you for your continued contributions, @stympanick !!

logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.