Pro plugin
Persistence Mechanisms
Inventories macOS persistence mechanisms including launch items, login items, scheduled tasks, shell configs, kernel/system extensions, authorization plugins, configuration profiles, and legacy persistence vectors
system.persistencePromacOS 10.15+v1.0.0systemsecuritypersistenceRun this plugin
Trigger collection for Persistence Mechanisms on its own with the --plugin flag, or include it in a wider sweep by category.
# Just this plugin
macfor-pro collect --plugin system.persistence --output ./evidence.zip
# Dry run — list what would be collected
macfor-pro collect --plugin system.persistence --dry-runCompatibility
- macOS 10.15+
Licensing: ships in the macfor-pro binary. See Community vs Pro.
Artifacts collected (20)
Each row corresponds to an entry in the plugin's artifacts.yaml manifest. Optional artifacts are skipped unless explicitly enabled.
persistence
| Artifact | Format | Path | Notes |
|---|---|---|---|
Launch Agents persistence_launch_agenthigh value | binary_plist | ~/Library/LaunchAgents/*.plist+1 more
| — |
Launch Daemons persistence_launch_daemonhigh value | binary_plist | /Library/LaunchDaemons/*.plist | — |
Launch Overrides persistence_launch_overridemedium value | binary_plist | /var/db/launchd.db/com.apple.launchd/overrides.plist+2 more
| — |
BTM Database Items persistence_btm_itemhigh value | binary_plist | /private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v*.btm | NSKeyedArchiver-encoded binary plist. Requires native Go decoder. |
Legacy Login Items persistence_login_itemhigh value | binary_plist | ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm+3 more
| — |
Login Hooks persistence_login_hookhigh value | binary_plist | /var/root/Library/Preferences/com.apple.loginwindow.plist+1 more
| Deprecated since macOS 10.11. Presence is suspicious. |
Cron Jobs persistence_cron_jobhigh value | text | /usr/lib/cron/tabs/*+2 more
| — |
Periodic Scripts persistence_periodic_scriptmedium value | text | /etc/periodic/daily/*+5 more
| — |
At Jobs persistence_at_jobmedium value | text | /var/at/jobs/*+1 more
| — |
Shell Configuration Files persistence_shell_configSensitivemedium value | text | ~/.zshenv+15 more
| May contain credentials or sensitive environment variables. |
Authorization Plugins persistence_auth_pluginhigh value | directory | /Library/Security/SecurityAgentPlugins/*.bundle | Third-party auth plugins can intercept login credentials. |
Kernel Extensions persistence_kexthigh value | directory | /Library/Extensions/*.kext | — |
KextPolicy Database persistence_kext_policymedium value | sqlite | /var/db/SystemPolicyConfiguration/KextPolicy | — |
Kext Load History persistence_kext_loadmedium value | sqlite | /var/db/SystemPolicyConfiguration/KextPolicy | Extracted from kext_load_history_v3 table in KextPolicy database. |
System Extensions persistence_system_extensionmedium value | binary_plist | /Library/SystemExtensions/db.plist+1 more
| — |
Configuration Profiles persistence_config_profilehigh value | binary_plist | /var/db/ConfigurationProfiles/Store/*.plist+1 more
| — |
emond Rules persistence_emond_rulehigh value | binary_plist | /etc/emond.d/rules/*.plist+1 more
| emond removed in macOS 12.3+. Presence on newer systems is highly suspicious. |
emond Clients persistence_emond_clienthigh value | text | /private/var/db/emondClients/* | Any file in this directory activates the emond daemon. |
Startup Items persistence_startup_itemmedium value | directory | /Library/StartupItems/* | Legacy mechanism removed in macOS 13. Presence on newer systems is suspicious. |
DYLD Injection Artifacts persistence_dyld_artifactcritical value | text | /etc/launchd.conf+1 more
| launchd.conf should not exist on macOS 10.10+. /etc/dyld/ is non-standard. |