System
Launch Agents and Daemons
Overview
launchd is the macOS service management framework responsible for starting, stopping, and managing daemons and agents. Launch Agents and Launch Daemons are the primary persistence mechanism on macOS and are frequently abused by malware and threat actors.
This article is under development. Detailed launchd forensic analysis documentation is coming soon.
Key Forensic Areas
- Persistence: Identify malicious Launch Agents/Daemons installed for persistence
- Execution context: Determine whether items run as root (daemons) or user (agents)
- Scheduling: RunAtLoad, StartInterval, StartCalendarInterval, WatchPaths triggers
- Program arguments: Full command lines and environment variables
- Overrides: Disabled state tracking in launchd overrides database
File Locations
| Directory | Scope | Description |
|---|---|---|
/System/Library/LaunchDaemons/ | System | Apple system daemons |
/System/Library/LaunchAgents/ | System | Apple system agents |
/Library/LaunchDaemons/ | Global | Third-party daemons (root) |
/Library/LaunchAgents/ | Global | Third-party agents (all users) |
~/Library/LaunchAgents/ | User | Per-user agents |
/var/db/com.apple.xpc.launchd/ | System | Launchd state database |
Plist Structure
Key fields in Launch Agent/Daemon property lists:
| Key | Type | Description |
|---|---|---|
Label | String | Unique service identifier |
Program | String | Executable path |
ProgramArguments | Array | Command and arguments |
RunAtLoad | Boolean | Execute on load (login/boot) |
KeepAlive | Boolean/Dict | Restart policy |
StartInterval | Integer | Run every N seconds |
WatchPaths | Array | Trigger on path changes |
EnvironmentVariables | Dict | Environment variables |