Feature Request: - Loginitems parser

[flarman-r7]

Howdy Velociraptor Dev Team!

Hope you all are doing well?
I have a feature request I wanted to run by the team in regards to creating an Artifact to parse loginitems on macOS.

Feature Request: Loginitems Artifact

Objective: I want to be able to run an artifact to parse the loginitems details from macOS devices as these may be used to achieve persistence.

file location per user: /Users//Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm

Research

I found there are a number of projects that can parse the loginitems data ('backgrounditems.btm'):

• https://github.com/luckman212/login-items-dump/blob/main/login-items-dump
• https://github.com/puffyCid/macos-loginitems
• https://github.com/strozfriedberg/plistutils

The above projects seem to be following the same 'Key' enumeration for Mac Bookmark format.
reference: https://mac-alias.readthedocs.io/en/latest/bookmark_fmt.html

I have also tried using the plist function in VQL but this outputs to base64 and does not properly parse the data as it is a binary plist. (Lots of gibberish)

I tried doing this using parse_binary, but it is something beyond my skill level, I'm wondering if this is a feature the team would be willing to add?

Cheers!

[scudette]

If you can provide some sample files we can add them to the tests

[flarman-r7]

Hi Mike, I spoke with Matt previously about this and he seemed to think it was feasible as it was a known struct and there were sample files included in the previous projects linked (see https://github.com/puffyCid/macos-loginitems/tree/main/tests/test_data). I understand he has now left. Is this something that could still be looked at? Cheers!