Skip to content

Instantly share code, notes, and snippets.

@jipegit

jipegit/Apple persitence mecanisms.md

Last active March 24, 2025 12:37
Show Gist options
  • Save jipegit/04d1c577f20922adcd2cfd90698c151b to your computer and use it in GitHub Desktop.
Save jipegit/04d1c577f20922adcd2cfd90698c151b to your computer and use it in GitHub Desktop.
Download ZIP
Apple persitence mecanisms
Raw
Apple persitence mecanisms.md

Apple persitence mecanisms

Type Location Documentation
Kernel/Sytem Extensions /System/Library/Extensions/
/Library/Extensions/
/Extra/Extensions/		 https://developer.apple.com/fr/support/kernel-extensions/
/Extra/Extensions/ is deprecated
Launch Daemons /System/Library/LaunchDaemons/
/Library/LaunchDaemons/
/Users/*/Library/LaunchDaemons/		 https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html
Launch Agents /System/Library/LaunchAgents/
/Library/LaunchAgents/
/Users/*/Library/LaunchAgents/		 https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html
Startup Items /System/Library/StartupItems/
/Library/StartupItems/
/Users/*/Library/StartupItems/		 https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
Deprecated
Scripting Additions /System/Library/ScriptingAdditions/
/Library/ScriptingAdditions/
/Applications/*/Contents/Resources/Scripting Additions/		 https://developer.apple.com/documentation/macos_release_notes/macos_mojave_10_14_release_notes
/System/Library/ and /Library are deprecated
Login / Logout Hooks /Library/Preferences/com.apple.loginwindow.plist
/Users/*/Library/Preferences/com.apple.loginwindow.plist
/Users/*/Library/Preferences/loginwindow.plist		 https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html
Login hooks, Pre-logon, Deprecated
ReOpen Applications /Users/*/Library/Preferences/ByHost/com.apple.loginwindow.* https://www.virusbulletin.com/virusbulletin/2014/10/paper-methods-malware-persistence-mac-os-x
Login Items /Users/*/Library/Preferences/com.apple.loginitems.plist
/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm		 https://objective-see.com/blog/blog_0x31.html
Post-logon
Authorization Plugins /System/Library/CoreServices/SecurityAgentPlugins/
/Library/Security/SecurityAgentPlugins/		 https://developer.apple.com/documentation/security/authorization_plug-ins/using_authorization_plug-ins
Directory Services Plug-ins /System/Library/Frameworks/DirectoryService.framework/Versions/A/Resources/Plugins/
/Library/DirectoryServices/PlugIns		 https://developer.apple.com/library/archive/documentation/Networking/Conceptual/Open_Dir_Plugin/ConfiguringanOpenDirectoryPlug-in/ConfiguringanOpenDirectoryPlug-in.html
App extensions /Applications/*/Contents/PlugIns/ https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionCreation.html
Quicklook Generator /Applications/*/Contents/Library/QuickLook/ https://developer.apple.com/library/archive/documentation/UserExperience/Conceptual/Quicklook_Programming_Guide/Introduction/Introduction.html
Spotlight Importers /Library/Spotlight/
/Applications/*/Contents/Library/Spotlight/		 https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/
Apple Scripts /Library/Scripts/
/Users/*/Library/Scripts/		 Deprecated
Firefox Extensions /Users/*/Library/Application Support/Firefox/Profiles/*/extensions/
Chrome Extensions /Users/*/Library/Application Support/Google/Chrome/*/Extensions/
/Users/*/Library/Application Support/Google/Chrome Canary/*/Extensions/
/Users/*/Library/Application Support/Chromium/*/Extensions/
Safari Extensions /Users/*/Library/Safari/Extensions/
Internet Plugins /Library/Internet Plug-Ins/ https://developer.apple.com/library/archive/documentation/InternetWeb/Conceptual/WebKit_PluginProgTopic/Concepts/AboutPlugins.html
Launchd /etc/launchd.conf Deprecated
Emond rules /etc/emond.d/emond.plist
/etc/emond.d/rules/		 https://www.xorrior.com/emond-persistence/
Cron jobs /usr/lib/cron/jobs/ man cron
Cron tabs /etc/crontab
/private/etc/crontab
/usr/lib/cron/tabs/		 man crontab
Periodic Scripts /etc/defaults/periodic.conf
/etc/periodic.conf
/etc/periodic/
 man periodic.conf
RC scripts /etc/rc.common
/etc/rc.boot
/etc/rc.installer_cleanup
/etc/rc.cleanup
Library Inserts * / active scan required https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/
Library proxy * / active scan required https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment