Fix `startup_items` on modern macOS

[ideologysec]

Feature request

What new feature do you want?

Parse the new plist where login items are stored, so the startup_items table is not empty in macOS >=10.13.1

How is this new feature useful?

This will allow for enumeration of login items on the newest versions of macOS (helpful since this is a malware persistence technique).

How can this be implemented?

Similar to how the com.apple.loginitems.plist is parsed for startup_items currently,
since 10.13.1 login items live here:
~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm
(which is a binary plist with some.... interestingly encoded data).

It should be possible to use the CoreFoundation APIs to parse/understand this.

Additional information with further resource links:
https://objective-see.com/blog/blog_0x31.md.html

EDIT:
currently, the path for login items is hardcoded. I would tend to do a version check for the os, and then set the string based on that, or simply set two different strings, which the genStartupItems function could check each against null:

const std::string kLoginItemsPlistPath =
    "Library/Preferences/com.apple.loginitems.plist";
const std::string kNewLoginItemsPlistPath =
    "Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm";

[directionless]

Mojave is ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

[ideologysec]

I'm happy to take a crack at this; the only question I would have is what the current osquery way is for detecting the host macOS version at runtime? I haven't found a good example of this, if someone could point me in that direction that would be awesome.

[directionless]

Two possible routes...

You could look at what the os_version table uses (https://github.com/osquery/osquery/blob/master/osquery/tables/system/darwin/os_version.cpp)

You could try to read all the possible plist files.

[theopolis]

You could try to read all the possible plist files.

Go for this route. Assume the version of the OS does not matter and try to read each known location where login items may be stored. If the file does not exist move on to the next.

[mbhatt1]

Is there a forked project that I can follow that someone is working on?

[theopolis]

Ping @ideologysec

[ideologysec]

I haven't had a chance to touch this; I don't work directly with osquery in my day to day anymore, so this would be a hobby. Thanks for the reminder, I can pick it up and take a look, but can't promise a timeline.

[Cyb3r-Monk]

Does this issue still exist?

[ideologysec]

@Cyb3r-Monk I think this was resolved at some point in the past. I don't know what the current status is regarding background items in Ventura.

[Cyb3r-Monk]

I can still see the login items file under ~/Library/Application\ Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, but I don't see my user's login item in the launchd table and there isn't any other table I could find.