See EVERYTHING that runs on your Mac. Understand WHY it runs. Decide WHAT stays.
MacPersistenceChecker shows you everything that runs automatically on your Mac, explains why it matters, and helps you decide what to keep or remove.
→ Find malware → Detect hidden persistence → Understand your system in minutes
Download MacPersistenceChecker v2.0.0 (DMG)
→ Scan your Mac in under 30 seconds → No install wizard, just open and run → Native macOS, universal (Apple Silicon & Intel), macOS 13+
If macOS says the app is damaged:
xattr -cr /Applications/MacPersistenceChecker.app
- "Why is my Mac slow?" → find hidden auto-start apps and login items
- "Am I infected?" → detect suspicious persistence, signed-but-dangerous binaries
- "What did this installer add?" → snapshot diff before/after install with AI explanation
- "What runs at login?" → full visibility across 22+ persistence mechanisms
- "Is this safe?" → AI explains in plain language, with MITRE ATT&CK mapping
- Built for macOS — not a Windows port. Knows about LaunchAgents, TCC, kernel extensions, dylib hijacking, BTM, MDM profiles, the lot.
- AI-assisted triage (optional) — Claude classifies thousands of items in seconds, learns your environment over time
- Knowledge graph instead of flat lists — decide once per concept, verdict propagates to all related items
- Behavioral + context-aware — risk scores combine signature, behavior, intent mismatch, age anomaly, LOLBins, more
- No telemetry, no cloud sync — all analysis local. AI is opt-in and user-paid via your own Anthropic key
- No data leaves your machine unless you opt-in to AI features
- All scanning, risk scoring, and graph reasoning runs locally
- AI calls go directly to Anthropic with your own API key — no proxy, no logging
- API key stored in macOS Keychain
- Source code open: see what it sends and how
The app learns your system and classifies thousands of items automatically.
- 🧠 Groups similar items into concept clusters (6800 items → ~280 clusters)
- 📚 Learns what you trust — verdicts propagate to related items, including future ones
- 🔇 Reduces noise over time — first triage is the biggest, then it stays quiet
- 🎯 Five AI tools: per-item analysis, batch cluster triage, full system report, threat hunting Q&A, snapshot diff explanation
Quick start:
- Settings → AI → paste your Anthropic API key (saved in macOS Keychain)
- Settings → Monitoring → flip the Use AI toggle on
- Toolbar → Triage to bulk-classify clusters, or Hunt to ask natural-language questions
Realistic cost: <$1/month for active use, $0 for steady state.
How it works (technical)
The app builds a knowledge graph of every persistence item on your Mac and uses Claude (Anthropic) to reason over it. Classify thousands of items quickly, escalate only what really matters, and learn your system so it answers most questions without further AI calls.
┌──────────────────────────┐
│ Persistence scan │
│ (e.g. 6800 items) │
└─────────────┬────────────┘
▼
┌────────────────────────────────────────┐
│ Concept Extraction (deterministic) │
│ 6 extractors → vendor / software / │
│ pathCategory / pattern / mechanism / │
│ filename. No AI calls here. │
└─────────────┬──────────────────────────┘
▼
┌────────────────────────────────────────┐
│ Knowledge Graph (SQLite) │
│ • concepts (~280 typically) │
│ • concept_links (subsumes / instance) │
│ • item_concepts (m:n) │
│ • concept_verdicts │
└─────────────┬──────────────────────────┘
▼
┌────────────────────────────────────────┐
│ Concept Resolver │
│ for every item, picks the strongest │
│ verdict via a deterministic ladder: │
│ severity → confidence → specificity │
│ → source → recency. │
└─────────────┬──────────────────────────┘
│
┌───────────┴────────────┐
▼ ▼
┌──────────────────┐ ┌──────────────────────┐
│ Item is already │ │ Item is unresolved │
│ classified. │ │ → goes to a cluster. │
│ Filter hides it │ └──────────┬───────────┘
│ from "Suspicious"│ ▼
└──────────────────┘ ┌──────────────────────┐
│ Cluster Builder │
│ groups items by │
│ identical concept │
│ signature (sorted │
│ ids). 6800 items → │
│ ~280 clusters. │
└──────────┬───────────┘
▼
┌──────────────────────────────────────────┐
│ User decides per cluster (one click = │
│ N items decided), OR sends batch to AI: │
│ │
│ • Trust / Watch / Block (manual) │
│ • Send unresolved clusters to AI │
│ → Haiku batch (15 cluster per call) │
│ → AI returns verdicts attached to │
│ concepts (not items) — propagate │
│ to ALL items linked to those │
│ concepts, including future ones. │
└──────────────────────────────────────────┘
| Tool | Where | Model | Cost / call |
|---|---|---|---|
| Analyze with AI (single item) | Item detail → Knowledge Graph | Haiku | ~$0.003 |
| Smart Triage batch | Toolbar → Triage | Haiku batch | ~$0.005 (15 clusters) |
| System Report | Toolbar → Report | Sonnet | ~$0.05-0.10 |
| Threat Hunt | Toolbar → Hunt | Haiku | ~$0.003 |
| Snapshot Diff | History → Compare → Analyze with AI | Haiku | ~$0.003 |
Daily call cap (default 30) configurable in Settings → AI. Hard ceiling, AI auto-disables when reached.
User-defined rules always win over AI-extracted ones:
- Trust this item — singleItem rule, your verdict overrides AI watchlist
- Trust this pattern — pattern rule with TeamID/signature anchor (signed binaries only)
- Remove trust — delete a user-defined rule you added by mistake
- Watch / Block — apply watchlist/malicious verdict to a whole cluster in Smart Triage
- Launch Daemons - System-wide services (
/Library/LaunchDaemons,/System/Library/LaunchDaemons) - Launch Agents - User-level agents (
~/Library/LaunchAgents,/Library/LaunchAgents) - Login Items - Apps that start at login
- Kernel Extensions - Legacy kexts
- System Extensions - Modern system extensions (DriverKit, NetworkExtension, EndpointSecurity)
- Privileged Helper Tools - XPC services with elevated privileges
- Cron Jobs - Scheduled tasks
- Configuration Profiles - MDM and configuration profiles
- Application Support - Background apps and helpers
- Periodic Scripts - Daily, weekly, monthly scripts in
/etc/periodic/ - Shell Startup Files -
.zshrc,.bashrc,/etc/profilewith suspicious pattern detection - Login/Logout Hooks - Legacy login hooks via
com.apple.loginwindow - Authorization Plugins - Security Agent plugins in
/Library/Security/SecurityAgentPlugins - Spotlight Importers - Custom metadata importers
- Quick Look Plugins - Preview generators that could be abused
- Directory Services Plugins - Authentication plugins
- Finder Sync Extensions - Finder extensions via pluginkit
- BTM Database - Background Task Management entries (macOS 13+)
- Dylib Hijacking - Detection of
DYLD_INSERT_LIBRARIESand suspicious dylib injection - TCC/Accessibility - Apps with Accessibility permissions in TCC database
Every persistence item gets a Risk Score (0-100) based on multiple factors:
- Invalid or missing code signatures
- Missing hardened runtime protection
- Ad-hoc signed binaries
- Suspicious file locations
- Persistent auto-start configurations (RunAtLoad, KeepAlive)
- Known malware patterns
Severity Levels: Low, Medium, High, Critical - items sorted by risk for quick threat identification.
- Micro-Restart - StartInterval < 60 seconds (possible watchdog abuse)
- Aggressive Watchdog - KeepAlive + low StartInterval combination
- No Throttle Limit - KeepAlive without ThrottleInterval (crash-restart loop risk)
- Dangerous Entitlements - Detection of risky entitlements (
com.apple.security.cs.disable-library-validation, etc.) - Apple Impersonation - Non-Apple software trying to appear as Apple
- Hidden Locations - Signed apps in suspicious directories
- Notarization Gaps - Recent apps lacking notarization
- Developer Certificate Analysis - Team ID validation against known vendors
Detects suspicious use of legitimate macOS binaries in persistence contexts. The combo matters:
- osascript + persistence = AppleScript with auto-start (GUI automation abuse)
- curl/wget + RunAtLoad = Download & execute pattern
- python + privileged helper = Elevated script execution
- security + KeepAlive = Credential harvesting risk
- launchctl + auto-start = Meta-persistence installer
- netcat + persistence = Reverse shell / C2 channel
40+ LOLBins tracked with MITRE ATT&CK mappings and context-aware severity scoring.
Advanced heuristics to detect suspicious behavioral patterns:
- Hidden Persistence Guard - KeepAlive agent without obvious watchdog purpose
- Aggressive Persistence - RunAtLoad + KeepAlive on non-service items
- Stealthy Auto-Start - Background process from unknown vendor
- Orphaned Persistence - Plist points to non-existent executable
- Suspicious Location - Executable in
/tmp/,/Users/Shared/, or hidden directories - Privilege Escalation Risk - User agent attempting privileged operations
- Network-Enabled Persistence - Persistence with network capabilities
- Script-Based Persistence - Inline scripts via interpreters
- System Process Impersonation - Non-Apple item using Apple-like naming
- Frequent Restart Pattern - StartInterval < 60 seconds
Detects when what the plist declares doesn't match what the binary actually does - exactly what modern droppers do:
- Innocent Plist, Heavy Binary - Simple config but binary has dangerous entitlements
- Passive Helper with Network - Background helper with network client/server access
- Passive Helper with Dylib Loading - Helper that can load unsigned code
- Minimal Config, Maximum Capabilities - Minimal plist but extensive entitlements
- Simple Task with Keychain Access - Simple-looking task with credential access
Detects suspicious timestamp patterns that indicate post-install malicious updates:
- Old Plist, New Binary - Classic "malicious update post-install" pattern
- Silent Binary Swap - Binary modified without plist change
- Timestamp Manipulation - Modification date before creation date (impossible)
- Suspicious Modification Time - Binary modified at 2-5 AM
- Binary Modified After Install - Non-updater binary changed after initial install
- 🟢 Apple - Signed by Apple
- 🔵 Known Vendor - Verified third-party software
- 🟡 Signed - Valid signature but not notarized
- ⚪ Unknown - No executable to verify
- 🟠 Suspicious - Expired certificate or suspicious path
- 🔴 Unsigned - No valid signature
Comprehensive forensic timeline for each persistence item:
Discovery
- First Seen - When the item was first discovered
Configuration File (Plist)
- Created - File creation timestamp
- Modified - Last modification timestamp
Executable (Binary)
- Created - Binary creation timestamp
- Modified - Last modification timestamp
- Last Executed - Last access/execution time
- Timestomping - Creation date after modification date (anti-forensics technique)
- File Replacement - File created after initial discovery
- Binary Swap - Recently modified binary with old plist (possible trojan)
- Recent Execution - Binary accessed recently but not currently loaded
Every persistence mechanism mapped to MITRE ATT&CK framework:
- Tactics: Persistence, Privilege Escalation, Defense Evasion, Execution
- Techniques: T1543.001, T1543.004, T1547.001, T1547.015, and more
- Direct links to MITRE ATT&CK documentation
Comprehensive analysis of installed apps to evaluate their "invasiveness" level:
Persistence Score (0-100) - Evaluates persistence mechanisms:
- Trigger types (RunAtLoad, KeepAlive)
- Privilege levels (LaunchDaemons, Kernel Extensions, Privileged Helpers)
- Resilience (auto-restart, updaters)
- Redundancy (multiple items from same vendor)
- Trust level (unsigned/suspicious penalties)
Installation Score (0-100) - Evaluates "junk" footprint:
- File spread across Library folders
- Total disk usage
- Orphan files (persistence without matching app)
- Cache bloat
- System-wide installations
Apps rated A through F based on combined score with detailed breakdown of all scoring factors.
- Risk Distribution Histogram - Items by risk bands (Low, Medium, High, Critical)
- Trust Level Donut Chart - Distribution across trust levels
- Category Breakdown Chart - Items per persistence category
- Timeline Visualization - Item lifecycle events (Created, Modified, Executed, Discovered)
- Full System Graph - Overview of all persistence items and relationships
- Focused Item Graph - Radial graph for individual item analysis
- Analysis Modes: Basic (trust/categories) or Full (includes dylib dependencies, network connections)
- Interactive Canvas - Zoom, pan, explore relationships
- Color-coded by trust level - Quick visual threat assessment
Comprehensive radar chart showing Trust, Signature, Safety, Stability, Transparency, and Age dimensions at a glance.
Continuous monitoring of persistence changes with two analysis modes.
Standard Mode
- FSEvents-based real-time file system monitoring
- Intelligent noise suppression with configurable debounce
- Relevance scoring to filter insignificant changes
- Immediate notifications for high-relevance changes
AI Mode (requires Claude API key)
- Claude AI analyzes each detected change
- Full context sent to AI: signature info, LOLBins, behavioral anomalies, risk scores
- AI decides if change warrants notification based on actual threat level
- Configurable check interval (30s to 1 hour)
- Severity threshold filtering (Info, Low, Medium, High, Critical)
- Real-time monitoring status indicator
- Mode badge showing "AI" or "Std"
- Quick controls (Start/Stop monitoring, trigger scan)
- Settings access
- Badge count for unacknowledged changes
- Last detected change preview
- Same item won't trigger repeated notifications within cooldown period
- Configurable cooldown (1-24 hours, default 2 hours)
- Prevents notification fatigue from frequently-changing items
When monitoring starts, you receive a notification confirming:
- Active mode (AI Mode or Standard Mode)
- Check interval (AI) or "Real-time" (Standard)
- Notification threshold settings
- Added - New persistence items
- Removed - Deleted items
- Modified - Configuration changes (enabled/disabled, path changes, etc.)
- Enabled/Disabled - State changes
When AI mode is active, each change sends complete item data to Claude:
- Basic info (name, category, paths, plist content)
- Signature details (signed, Apple, notarized, team ID, certificate status)
- Risk assessment (score, detailed breakdown)
- LOLBins detections with MITRE mappings
- Behavioral anomalies
- Intent mismatches (plist vs binary)
- Age anomalies (timestamp analysis)
- Signed-but-dangerous flags
Claude responds with:
shouldNotify- Whether to alert the userseverity- Threat level assessmenttitle- Notification titleexplanation- Why this is or isn't suspiciousrecommendation- Suggested actionmitreTechniques- Relevant ATT&CK techniques
Control how the AI analyzes changes via Settings → AI:
Structured Options
| Option | Default | Effect |
|---|---|---|
| Ignore Apple-signed | ON | Deprioritize items signed by Apple (com.apple.*) |
| Ignore system paths | ON | Deprioritize /System and /Library paths |
| Prioritize unsigned | ON | Extra attention to unsigned executables |
| Focus on LOLBins | ON | Prioritize Living-off-the-Land Binaries detection |
| Minimum risk score | 0 | Only analyze items with risk >= threshold |
| Ignored paths | - | Custom paths to skip (comma-separated) |
Notification Threshold
Info- Notify everythingLow- Notify low severity and aboveMedium- Notify medium and above (default)High- Only high and criticalCritical- Only critical threats
Custom Prompt Add your own instructions that are appended to the AI prompt. Examples:
Always notify me if an item uses python or osascript.
Ignore anything from Microsoft.
Be more aggressive with unsigned items from ~/Downloads.
The AI uses these preferences to make smarter decisions. For example:
- Unsigned LaunchAgent from
/tmp/→ Critical notification - Signed Dropbox update → No notification (info)
osascriptwithRunAtLoad→ High notification
MacPersistenceChecker includes an MCP (Model Context Protocol) server that allows Claude Code, Claude Desktop, and other MCP-compatible clients to query persistence data.
swift build --target MPCServerThe binary is created at .build/debug/mpc-server.
| Tool | Description |
|---|---|
get_current_state |
Get all current persistence items with optional filters |
get_diff |
Get changes from baseline or specific snapshot |
get_summary |
Compact overview with counts and top threats |
get_item_details |
Full details for a specific item by identifier |
get_risk_analysis |
Aggregated risk analysis with recommendations |
get_snapshots |
List available snapshots with metadata |
compare_snapshots |
Compare two snapshots for changes |
Add to your Claude Code MCP settings (~/.claude/claude_desktop_config.json or similar):
{
"mcpServers": {
"macpersistence": {
"command": "/path/to/mpc-server",
"args": []
}
}
}Once configured, you can ask Claude Code:
- "What persistence items are on this Mac?"
- "Show me unsigned items with high risk scores"
- "What changed since the last snapshot?"
- "Analyze the risk of items in the LaunchAgents category"
- "Compare today's snapshot with yesterday's"
- Read-only access to MacPersistenceChecker's SQLite database
- JSON-RPC 2.0 protocol over stdio
- Filters by category, trust level, risk score, Apple-signed status
- Full snapshot and diff capabilities
- No separate API key required (uses local database)
- Create snapshots of your system state
- Compare snapshots to detect changes over time
- Track new, removed, or modified persistence items
- Identify when suspicious items were added
Machine-readable export for security pipelines:
- SIEM Integration - Ingestible by Splunk, Elastic, etc.
- SOAR Compatibility - Ready for automated response workflows
- LLM Analysis - Structured data for AI-powered analysis
- IR Pipelines - Compatible with OSINT and incident response tools
- Full system metadata (hostname, macOS version, hardware model, serial)
- All persistence items with complete analysis
- Risk scores, LOLBins, behavioral anomalies, intent mismatches, age analysis
- MITRE ATT&CK mappings
- Complete forensic timeline with Unix timestamps
- Critical findings with recommendations
Button enabled only after scan completion.
Safely neutralize suspicious persistence items without permanent deletion:
- Quick Contain - Disable persistence + block network (recommended)
- Disable Only - Remove from auto-start without network block
- Network Block Only - Block network access while keeping persistence active
- Automatic Backup - Original plist saved before any modification
- Timed Release - Auto-restore after configurable timeout (default 24h)
- Manual Release - Instantly restore contained items
- Action Log - Complete audit trail of all containment actions
- PF firewall rules to block outbound connections
- Per-binary blocking by executable path
- Survives app restart
- Quarantine suspicious item while investigating
- Test if removing persistence breaks functionality
- Temporarily disable without losing configuration
- Reveal in Finder - Quickly locate files
- Open Plist - View configuration files
- View Graph - Per-item graph visualization
- Disable/Enable - Safely disable items (with admin privileges for system items)
- Contain - Quarantine suspicious items with automatic backup
- Export JSON - Export forensic report for SIEM/SOAR/IR
git clone https://github.com/Pinperepette/MacPersistenceChecker.git
cd MacPersistenceChecker
./build.shCopy MacPersistenceChecker.app to /Applications/.
- macOS 13.0+
- Xcode 15+ or Swift 5.9+
- GRDB.swift - SQLite database
Requires Full Disk Access to scan:
/Library/LaunchDaemons- System configuration files
- TCC database
- Shell startup files
Without Full Disk Access, some items may not be visible.
MIT License - See LICENSE for details.
pinperepette - 2025
Inspired by Autoruns for Windows by Mark Russinovich