Launchd Overrides
Overview
Evidence: Launchd Overrides Description: Collect override keys for LaunchDaemons and Agents Category: System Platform: macos Short Name: launchdo Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Launchd overrides adjust behavior of daemons and agents without modifying the original plist. This data is essential for detecting persistence and unexpected service behavior.
Data Collected
This collector gathers structured data about launchd overrides.
Launchd Overrides Data
Name
Name
Example value
Path
Path
Example value
Label
Label
Example value
Program
Program
Example value
RunAtLoad
Run At Load
Example value
KeepAlive
Keep Alive
Example value
OnDemand
On Demand
Example value
Disabled
Disabled
Example value
UserName
User Name
Example value
GroupName
Group Name
Example value
StdoutPath
Stdout Path
Example value
StderrPath
Stderr Path
Example value
StartInterval
Start Interval
Example value
Arguments
Arguments
Example value
WatchPaths
Watch Paths
Example value
QueueDirs
Queue Dirs
Example value
InetdCompatibility
Inetd Compatibility
Example value
StartOnMount
Start On Mount
Example value
RootDir
Root Dir
Example value
Cwd
Cwd
Example value
ProcessType
Process Type
Example value
Ctime
Ctime
123
Atime
Atime
123
Mtime
Mtime
123
Hash
Hash
Example value
SizeInBytes
Size In Bytes
123
LastChangeTime
Last Change Time
2023-10-15 14:30:25+03:00
AccessTime
Access Time
2023-10-15 14:30:25+03:00
ModificationTime
Modification Time
2023-10-15 14:30:25+03:00
Collection Method
This collector queries the launchd_overrides table via osquery and records results into the launchd_overrides table.
Forensic Value
This evidence is crucial for forensic investigations as it reveals overridden settings that may disable or enable services to aid attacker persistence or evasion.
Last updated
Was this helpful?