Auto Loaded Processes

Overview

Evidence: Auto Loaded Processes Description: Collect info on autoloaded processes Category: System Platform: macos Short Name: autoproc Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Launchd manages auto-loaded processes (daemons and agents) on macOS. This data is essential for identifying persistence mechanisms, startup items, and potentially malicious services.

Data Collected

This collector gathers structured data about auto loaded processes.

Collection Method

This collector queries the launchd table via osquery and captures associated plist metadata and file hashes when possible.

Forensic Value

This evidence is crucial for forensic investigations as it reveals auto-starting processes, aiding detection of persistence, privilege abuse, and unauthorized services.