Evidence: Auto Loaded Processes
Description: Collect info on autoloaded processes
Category: System
Platform: macos
Short Name: autoproc
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Launchd manages auto-loaded processes (daemons and agents) on macOS. This data is essential for identifying persistence mechanisms, startup items, and potentially malicious services.
Data Collected
This collector gathers structured data about auto loaded processes.
Collection Method
This collector queries the launchd table via osquery and captures associated plist metadata and file hashes when possible.
Forensic Value
This evidence is crucial for forensic investigations as it reveals auto-starting processes, aiding detection of persistence, privilege abuse, and unauthorized services.
