
Description: This osquery command will find suspicious launch daemons that start at boot and are not signed.
SQL:
select * FROM signature s
JOIN launchd d ON d.program_arguments = s.path
WHERE signed=0 AND d.run_at_load=1;
Operating Systems: Apple only
Reference:
- https://www.uptycs.com/blog/hunting-for-evil-launch-daemons-identifying-suspicious-behavior-with-osquery
- https://osquery.io/schema/current/#launchd
- https://osquery.io/schema/current/#signature