Skip to content

JXA situational awareness helper by simply reading specific files on a filesystem

License

Notifications You must be signed in to change notification settings

its-a-feature/HealthInspector

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
 
 
 
 
 
 

Repository files navigation

HealthInspector

JXA situational awareness helper by simply reading specific files on a filesystem

Purpose

Health Inspector is designed to help provide some additional situation awareness for operations on macOS by doing a lot of discovery by simply reading PLIST files or other files on disk that any user can read. I wanted to find another way to do discovery in JXA and macOS in general without having to spawn a bunch of bash commands.

Execution

To run the functions within HealthInspector with Apfell, use the jsimport and jsimport_call functions within the apfell-jxa payload. When you run jsimport_call be sure to specify the function you want to execute afterwards, such as: jsimport_call All_Checks().

If you want to execute this outside of an Apfell apfell-jxa payload, you can execute it with osascript: osascript HealthInspector.js. You will need to append to the bottom of the script the function you want to call though. The script itself is just a list of functions.

A lot of these functions are user specific. If you're running as root or another user and want to get this information for a specific user, simply supply the username to the function call as follows: jsimport_call All_Checks({user: "itsafeature"});

Current Functions

The current list of functions and associated files is below:

Function Description Plist
Persistent_Dock_Apps List what applications are persistently docked (including folders) ~/Library/Preferences/com.apple.dock.plist
Spaces_Check How many desktops are there for the user and which one is currently active ~/Library/Preferences/com.apple.spaces.plist
Get_Office_Email Get the user's office activation email ~/Library/Preferences/com.microsoft.office.plist
Saved_Printers Get information about printers (name and IP) ~/Library/Preferences/org.cups.PrintingPrefs.plist
Finder_Preferences Recent folders, show hidden files, recent move/copy destination, GoTo destinations, prior mounted volumes, etc ~/Library/Preferences/com.apple.finder.plist
Launch_Services Mappings of programs to URL schemas and programs to file extensions ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Universal_Access_Auth_Warning List of programs that have caused a universal access prompt ~/Library/Preferences/com.apple.universalaccessAuthWarning.plist
Relaunch_At_Login Applications that are open now and will potentially be re-opened after reboot ~/Library/Preferences/ByHost/*.com.apple.loginwindow.plist
Login_Items Login Items ~/Library/Preferences/com.apple.loginitems.plist
User_Dir_Hidden_Files_Folders Look for all hidden files and folders in the user's home directory ~/
User_Global_Preferences Show all extensions, finder extensions, recent places, and default browser ~/Library/Preferences/.GlobalPreferences.plist
User_Launchagents Information about the user's launch agents (if any exist) ~/Library/LaunchAgents/*
User_Launchdaemons Information about the user's launch daemons (if any exist) ~/Library/LaunchDaemons/*
System_Launchdaemons Information about the system's launch daemons /Library/LaunchDaemons/*
Installed_Software_Versions Installed software versions, install date, and process name /Library/Receipts/InstallHistory.plist
Unique_Bash_History_Sessions Reads all these files into a Set (which removes duplicates) and returns a list of all unique commands run ~/.bash_sessions/*, ~/.bash_history, ~/.zsh_history
SSH_Keys Dump of all files in this folder ~/.ssh/*
Slack_Download_Cache_History List out all Slack downloads and where they were saved to ~/Library/Application Support/Slack/storage/slack-downloads
Slack_Team_Information Dump out information saved about all teams the user has saved ~/Library/Application Support/Slack/storage/slack-teams
Recent_Files List of 10 most recent applications accessed by the user. In 10.15 this now requires Full Disk Access permissions ~/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentApplications.sfl2
Firewall List out exempted programs, explicitly authed programs, and the state of certain firewall groups /Library/Preferences/com.apple.alf.plist
Airport_Preferences Details about all WiFi networks you've connected to and which other ones were nearby that you also connected to /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
SMB_Server Kerberos Realm, NetBios name, Host description /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
WiFi_Messages List of WiFi association SSIDs /Library/Preferences/SystemConfiguration/com.apple.wifi.message-tracer.plist
Network_Interfaces List of basic network interfaces, active, type, and user information /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
Bluetooth_Connections List of bluetooth connections, when they last connected, and what class of item/name /Library/Preferences/com.apple.Bluetooth.plist
OS_Version Software build version, name, and normal version /System/Library/CoreServices/SystemVersion.plist
Forcepoint_DLP_Information Returns Forcepoint Data Loss Prevention config, if present /Library/Application Support/Websense Endpoint/DLP/DLPClient.plist
Krb5_AD_Config Returns Kerberos/AD config information, if present /etc/krb5.conf
Krb5_AD_Logging Returns Kerberos logging configuration, if present /Library/Preferences/com.apple.Kerberos.plist
PaloaltoGlobalProtect Returns Palo Alto Networks GlobalProtect config, if present /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
AVEnum Check existence of files/folders on disk and running processes for known EDR/AV products
All_Checks Do all of the above checks
User_Preferences Do all checks related to the user specifically
Global_Preferences Do all checks related to global preferences that don't fall in ~/

Contributing

Please open pull requests for new files you find to parse that provide useful information. If possible, please also include the file (or example of the file) if it's not a default Apple plist