Launchd Overrides

Overview

Evidence: Launchd Overrides
Description: Collect override keys for LaunchDaemons and Agents
Category: System
Platform: macos
Short Name: launchdo
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Launchd overrides adjust behavior of daemons and agents without modifying the original plist. This data is essential for detecting persistence and unexpected service behavior.

Data Collected

This collector gathers structured data about launchd overrides.

Launchd Overrides Data

Field	Description	Example
`Name`	Name	Example value
`Path`	Path	Example value
`Label`	Label	Example value
`Program`	Program	Example value
`RunAtLoad`	Run At Load	Example value
`KeepAlive`	Keep Alive	Example value
`OnDemand`	On Demand	Example value
`Disabled`	Disabled	Example value
`UserName`	User Name	Example value
`GroupName`	Group Name	Example value
`StdoutPath`	Stdout Path	Example value
`StderrPath`	Stderr Path	Example value
`StartInterval`	Start Interval	Example value
`Arguments`	Arguments	Example value
`WatchPaths`	Watch Paths	Example value
`QueueDirs`	Queue Dirs	Example value
`InetdCompatibility`	Inetd Compatibility	Example value
`StartOnMount`	Start On Mount	Example value
`RootDir`	Root Dir	Example value
`Cwd`	Cwd	Example value
`ProcessType`	Process Type	Example value
`Ctime`	Ctime	123
`Atime`	Atime	123
`Mtime`	Mtime	123
`Hash`	Hash	Example value
`SizeInBytes`	Size In Bytes	123
`LastChangeTime`	Last Change Time	2023-10-15 14:30:25+03:00
`AccessTime`	Access Time	2023-10-15 14:30:25+03:00
`ModificationTime`	Modification Time	2023-10-15 14:30:25+03:00

Collection Method

This collector queries the launchd_overrides table via osquery and records results into the launchd_overrides table.

Forensic Value

This evidence is crucial for forensic investigations as it reveals overridden settings that may disable or enable services to aid attacker persistence or evasion.