Skip to main content
Jaybird1291
Jaybird1291

macOS Persistence Cheatsheet

·3 mins· loading · loading · ·
MacOS DFIR Forensic Persistence Cheatsheet
Jaybird1291
Author
Jaybird1291
github [#142]Created with Sketch.
v1.2 (08/04/2026) patch note

Summary

  • The total number of documented mechanisms increased from 31 to 39 (+8 rows, no removals).

UI / UX

  • Better colors

Added

  • Added a Privileged Helper Tools entry covering the classic SMJobBless layout (/Library/PrivilegedHelperTools + matching /Library/LaunchDaemons plist) and modern bundle-embedded helpers under <App>.app/Contents/Library/LaunchServices.
  • Added an SSH rc entry for ~/.ssh/rc and chained payload drops commonly staged under ~/.security/.
  • Added a Calendar Alerts / EventKit entry for alarm-based execution triggers, covering ~/Library/Calendars/, Calendar Cache, and ~/Library/Preferences/com.apple.iCal.plist.
  • Added a Finder Sync Extensions entry for .appex bundles registered via pluginkit.
  • Added an Application Support helpers entry for suspicious executables, scripts, and launch-style .plist files staged under ~/Library/Application Support/.
  • Added an Application startup scripts entry for app-specific launch-script hooks such as ~/.atom/init.coffee, iTerm2 AutoLaunch/iTerm.py, and Sublime Text’s sublime.py.
  • Added an App preference triggers entry for persistence hidden in user preferences: Dock tiles, Terminal command strings, and Screen Saver modules.
  • Added a TCC / Accessibility Grants entry covering both user and system TCC.db as a capability-amplification surface adjacent to persistence.

Expanded Coverage

  • Expanded Shell init (zsh) and Shell init (bash / sh) to include hidden helper drops under ~/.security/.
  • Expanded Cron to include hidden payload paths such as ~/Public/Drop Box/.share.sh.
  • Expanded Application / daemon plug-ins to include Sublime Text packages, ~/.vim/plugin, and ~/Library/Application Support/xbar/plugins.
  • Expanded Login Hooks to include the root-scoped /private/var/root/Library/Preferences/com.apple.loginwindow.plist and shared payload staging under /Users/Shared/.security/.
  • Expanded Periodic Jobs to include /usr/local/etc/periodic/{daily,weekly,monthly} alongside the system /etc/periodic tree.
  • Expanded KEXTs to include /System/Library/Extensions alongside /Library/Extensions.

github [#142]Created with Sketch.
jaybird1291/macOS-persistence-cheatsheet

A practical DFIR-focused cheatsheet for identifying, triaging, and reviewing macOS persistence mechanisms. With additional context such as scope, required privilege, source of truth, signal level, false-positive risk and review guidance.

HTML
1
0

Light

Dark

Old versions

v1.1 (08/04/2026)

UI / UX

  • Compacted view-controls to reduce visual footprint.
  • Strengthened the glass effect on the sticky controls panel.
  • Trimmed some longer UI.
  • Harmonized a few labels.

Scroll Behavior

  • The helper text (control-copy) now hides on scroll.
  • The quick-nav moves up into the freed space to keep the header more compact.
  • The scrolled layout is now more responsive on intermediate screen widths.

Focus Mode

  • Overview tags are now hidden in Focus mode for a cleaner reading experience.

Overview / Mechanism

  • Added and fixed badges for: Scope, Source of Truth, Signal, Required Privilege, False Positive Risk
  • Standardized badge ordering.
  • Fixed False Positive Risk badge color.
  • Fixed missing color styling for Required Privilege and Source of Truth.

Download