I’m increasingly concerned about applications that act as no applications should need to in the modern era of Apple device management. As such, a simple (albeit computationally expensive) way of performing this type of operation is to simply grep a directory with applications that contain those strings for further inspection:
grep -r -l "LaunchDaemons" /Applications
grep -r -l "LaunchAgents" /Applications
grep -r -l ".kext" /Applications
grep -r -l ".pkg" /Applications
You can also use find:
find /Applications -type f -exec grep -l 'LaunchDaemons' {} \;
The nice part of using find here is that you can -exec a lot of options without the same type of piping. You can also load the output into an array (e.g. in bash) if you need more logic:
myLaunchDaemonsarray=$(find /Applications -type f -exec grep -l 'LaunchDaemons' {} \;)
This is only a few command line scriptybits to find such things. There are lots of better, more efficient ways as well; however, simply relying on analyzing what has been written rather than what wrote them is a practice to get away from given the increasingly polymorphic nature of recent distributions of both benign and malware-based software.
Have some other scriptybits for other areas that need to be analyzed? Post ’em in the comments! 🙂