

Understanding OS X Malware: “Methods of Malware Persistence on OS X” - CoffeePower
http://osxdaily.com/2014/06/25/advanced-guide-to-understanding-os-x-malware-synack-pres/

======
CoffeePower
The linked KnockKnock script is interesting:

"KnockKnock is command line python script that displays persistent OS X
binaries that are set to execute automatically at each boot. Since KnockKnock
takes an unbiased approach it can generically detect persist OS X malware,
both today, and in the future. It should be noted though, this approach will
also list legitimate binaries. However, as KnockKnock by default, will filter
out unmodified Apple-signed binaries, the output is greatly reduced, leaving a
handful of binaries that quickly can be examined and manually verified."

[https://github.com/synack/knockknock](https://github.com/synack/knockknock)

