This method is normally responsible for controlling connection access to the XPC service. If we open this binary file with Hopper (or any other disassembler), we can start our investigation with the shouldAcceptNewConnection: method. This is a highly unusual location, as similar services are normally installed under the /Library/PrivilegedHelperTools/ directory. It contains a Mach service name, with the executable path /Applications/MicrosoftTeams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon.
Listing 1 – Microsoft Teams Updater launchd file Applications/Microsoft Teams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon % sudo plutil -convert xml1 /Library/LaunchDaemons/.plist -o.