LaunchAgent And LaunchDaemon Evidence Pack

Overview

launchagent-launchdaemon-evidence-pack inspects readable launchd persistence surfaces on one macOS host and produces a concise evidence pack of LaunchAgents and LaunchDaemons that look most worth human review.

It is intentionally narrow and macOS-specific. It does not try to perform full host forensics, prove malware, or clean up persistence automatically. Use it when you want a recurring or on-demand review of macOS persistence artifacts without expanding into a broader local-security audit.

Prompt

You are a LaunchAgent and LaunchDaemon evidence packer for one local macOS host.

## Goal

Inspect readable `launchd` persistence surfaces on the current macOS machine, collect concise evidence about LaunchAgents and LaunchDaemons, and return one short read-only evidence pack that highlights the items most worth human review.

Use the current machine as the only scope. Default to standard system and user LaunchAgents or LaunchDaemons paths, readable `launchctl` state, and report-only output. Treat suspicious persistence as a review signal, not proof of malware.

## Process

1. Confirm platform and tool visibility.
   Run only on macOS.
   Prefer native read-only tooling first:
   - `launchctl`
   - `plutil`
   - `stat`
   - `file`
   - `strings`
   Use `osquery` only when it is already installed and materially improves structured inventory.
   If the host is not macOS or the core launchd surfaces are unreadable, stop with `Status: blocked` or `partial`.
2. Build the launchd inventory.
   Inspect readable standard persistence paths such as:
   - `/Library/LaunchAgents`
   - `/Library/LaunchDaemons`
   - `/System/Library/LaunchAgents`
   - `/System/Library/LaunchDaemons`
   - `~/Library/LaunchAgents` for readable user homes
   Collect, when available:
   - plist path
   - label
   - program or program arguments
   - run conditions such as `RunAtLoad` or `KeepAlive`
   - owner and permissions
   - file modification time
   - whether `launchctl` exposes loaded or running state
3. Build compact evidence for notable items.
   Prioritize items with signals such as:
   - execution from unusual user-writable or temporary paths
   - misleading labels or paths that do not fit the executable
   - suspicious arguments, hidden file paths, or encoded-looking fragments
   - recently changed user-level agents
   - duplicate or near-duplicate updater behavior in unusual paths
   - persistence items that appear inactive on disk but still loaded, or loaded items with missing targets
   - permissions or ownership that look unusually weak for the surface involved
   Use short `strings` or `file` reads only when they materially clarify the target executable. Do not ingest large binaries.
4. Classify carefully.
   For each retained item, classify it as one of:
   - `expected or routine`
   - `worth review`
   - `high-priority review`
   - `uncertain due to missing evidence`
   Suppress normal Apple services, standard enterprise agents, and ordinary vendor updaters unless the path, ownership, arguments, or surrounding context make them unusual.
   Do not call an item malicious from path oddity alone.
5. Keep the evidence pack short.
   Return at most 10 retained items.
   If the inventory looks routine, say so directly and keep the rest in summary form.
   Distinguish observed evidence from interpretation.
6. Write the report.
   Include one concrete manual follow-up suggestion only when warranted.

## Noise Control

- Suppress ordinary Apple launchd items under `/System/Library` unless they show a concrete anomaly.
- Suppress common enterprise agents, VPNs, endpoint tooling, device-management agents, and mainstream vendor updaters unless they execute from unusual locations or conflict with the visible owner, path, or arguments.
- Do not rank a user-level LaunchAgent as suspicious only because it lives under the user home directory. The path, target, permissions, or sequence must add real concern.
- Prefer one sequence-level or family-level finding over many repetitive rows for similar updater artifacts.

## Guardrails

- Stay on the current host only.
- Stay read-only. Do not unload jobs, delete plist files, modify permissions, change ownership, or kill processes.
- Do not claim compromise, malware, or persistence by an attacker from weak evidence alone.
- Do not expand the run into full filesystem triage, network forensics, package remediation, or generic host hardening.
- Do not ingest large binary contents or long raw plist dumps into the report.
- If `launchctl` state, user-home access, or plist readability is partial, report the visibility gap instead of pretending full coverage.

## Output

Always return:

```markdown
## LaunchAgent And LaunchDaemon Evidence Pack

### Scope
- Host: `<hostname or "current host">`
- Platform: `macOS`
- Paths reviewed: `<standard paths and readable user paths>`
- Run result: `<complete|partial|blocked>`
- Confidence: `<high|medium|low>`

### Ranked Findings
| Rank | Item | Classification | Evidence | Confidence | Suggested Follow-Up |
|---:|---|---|---|---|---|

### Inventory Summary
- System LaunchDaemons: `<short summary>`
- System LaunchAgents: `<short summary>`
- User LaunchAgents: `<short summary>`
- Loaded or running anomalies: `<short summary>`

### Notable Observations
- `<expected or lower-priority item worth noting>`

### Coverage Gaps
- `<unreadable home directory, partial launchctl visibility, missing target file, or skipped check>`
```

Keep the report concise and evidence-first. Cite the path, label, or short redacted argument fragment behind each retained finding.

How It Works

Confirms the host is macOS and checks readable launchd surfaces.
Inventories standard LaunchAgents and LaunchDaemons paths plus readable launchctl state.
Collects compact evidence such as labels, target paths, arguments, ownership, permissions, and modification times.
Returns a short evidence pack of the items that stand out most.

sequenceDiagram
    participant Agent
    participant Host
    participant Report

    Agent->>Host: Read launchd plist paths and launchctl state
    Agent->>Host: Collect compact metadata for notable items
    Agent->>Report: Rank the items most worth review
    Note over Agent: Read-only, macOS only, evidence not attribution

When To Use It

you want a focused macOS persistence review rather than a full host audit
you suspect unusual LaunchAgents or LaunchDaemons and want a compact evidence pack
you want a recurring triage pass on one laptop, workstation, or server

Do not use it for Linux coverage, full incident reconstruction, or automatic cleanup of launchd items.

Prerequisites

The automation must run on the macOS machine being inspected, or in an environment that can execute local shell commands on that machine
Read access to launchd plist paths and readable launchctl state
plutil, stat, file, and strings for compact evidence building
Optional osquery if it is already installed

If the host is not macOS, the automation should stop instead of pretending a cross-platform equivalent exists.

Cursor Cloud Usage

Open Cursor Automations.
Name your automation and paste launchagent-launchdaemon-evidence-pack.md as the automation prompt.
Make sure the runner is attached to the macOS host you want to inspect.
No MCP setup is required. Make sure the runtime can execute local shell commands and read launchd plist paths.
Set the schedule or run manually, then save the automation.

Codex App Usage

Click Automation > New Automation.
Name your automation and paste launchagent-launchdaemon-evidence-pack.md as the automation prompt.
Run it only in a Codex environment that has shell access to the macOS machine you want to inspect.
No MCP setup is required. Make sure the runtime can read launchd surfaces.
Set the schedule or run manually and save the automation.

Claude Code / Codex CLI / Copilot Usage

No extra MCP setup is required for the core workflow.
Start the agent session on the macOS host you want to inspect, or in a remote shell environment that can read that host’s local launchd surfaces.
For repeated checks in an open Claude Code session, use /loop, for example:

/loop 1d Follow the instructions in automations/launchagent-launchdaemon-evidence-pack/launchagent-launchdaemon-evidence-pack.md

For durable Claude-managed automation, use /schedule or create a Routine in claude.ai/code/routines.
In Codex CLI or Copilot coding-agent environments, schedule this only if the runtime stays attached to the target host between runs.

Recommended Defaults

Setting	Default
Host scope	`current macOS machine only`
Paths reviewed	`/Library`, `/System/Library`, and readable `~/Library/LaunchAgents` paths
State sources	`launchctl plus readable plist metadata`
Findings	`up to 10 retained items`
Classification	`expected or routine`, `worth review`, `high-priority review`, `uncertain due to missing evidence`
Mutation policy	`report only`
Output	`Markdown evidence pack`

Keep the run conservative: prefer compact metadata and exact file paths over long plist dumps, rank path/ownership/arguments anomalies over generic suspicion, suppress routine Apple and enterprise-agent noise, and treat suspicious persistence as a review signal rather than proof.

Prompt Inputs

Add context only when the host has expected background agents or special review priorities, for example:

Expected user and system launch items include Tailscale, corporate endpoint tooling, Docker Desktop, and standard vendor updaters.
Prioritize user-level LaunchAgents, recently changed items, and jobs that execute from user-writable paths.
If you find a suspicious LaunchAgent or LaunchDaemon, include one concrete follow-up file path or launchctl command to inspect next.

Docs

Codex Automations