JXA situational awareness helper by simply reading specific files on a filesystem
Health Inspector is designed to help provide some additional situation awareness for operations on macOS by doing a lot of discovery by simply reading PLIST files or other files on disk that any user can read. I wanted to find another way to do discovery in JXA and macOS in general without having to spawn a bunch of bash commands.
To run the functions within HealthInspector with Apfell, use the jsimport
and jsimport_call
functions within the apfell-jxa
payload. When you run jsimport_call
be sure to specify the function you want to execute afterwards, such as: jsimport_call All_Checks()
.
If you want to execute this outside of an Apfell apfell-jxa payload, you can execute it with osascript:
osascript HealthInspector.js
. You will need to append to the bottom of the script the function you want to call though. The script itself is just a list of functions.
A lot of these functions are user specific. If you're running as root
or another user and want to get this information for a specific user, simply supply the username to the function call as follows: jsimport_call All_Checks({user: "itsafeature"});
The current list of functions and associated files is below:
Function | Description | Plist |
---|---|---|
Persistent_Dock_Apps | List what applications are persistently docked (including folders) | ~/Library/Preferences/com.apple.dock.plist |
Spaces_Check | How many desktops are there for the user and which one is currently active | ~/Library/Preferences/com.apple.spaces.plist |
Get_Office_Email | Get the user's office activation email | ~/Library/Preferences/com.microsoft.office.plist |
Saved_Printers | Get information about printers (name and IP) | ~/Library/Preferences/org.cups.PrintingPrefs.plist |
Finder_Preferences | Recent folders, show hidden files, recent move/copy destination, GoTo destinations, prior mounted volumes, etc | ~/Library/Preferences/com.apple.finder.plist |
Launch_Services | Mappings of programs to URL schemas and programs to file extensions | ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist |
Universal_Access_Auth_Warning | List of programs that have caused a universal access prompt | ~/Library/Preferences/com.apple.universalaccessAuthWarning.plist |
Relaunch_At_Login | Applications that are open now and will potentially be re-opened after reboot | ~/Library/Preferences/ByHost/*.com.apple.loginwindow.plist |
Login_Items | Login Items | ~/Library/Preferences/com.apple.loginitems.plist |
User_Dir_Hidden_Files_Folders | Look for all hidden files and folders in the user's home directory | ~/ |
User_Global_Preferences | Show all extensions, finder extensions, recent places, and default browser | ~/Library/Preferences/.GlobalPreferences.plist |
User_Launchagents | Information about the user's launch agents (if any exist) | ~/Library/LaunchAgents/* |
User_Launchdaemons | Information about the user's launch daemons (if any exist) | ~/Library/LaunchDaemons/* |
System_Launchdaemons | Information about the system's launch daemons | /Library/LaunchDaemons/* |
Installed_Software_Versions | Installed software versions, install date, and process name | /Library/Receipts/InstallHistory.plist |
Unique_Bash_History_Sessions | Reads all these files into a Set (which removes duplicates) and returns a list of all unique commands run | ~/.bash_sessions/*, ~/.bash_history, ~/.zsh_history |
SSH_Keys | Dump of all files in this folder | ~/.ssh/* |
Slack_Download_Cache_History | List out all Slack downloads and where they were saved to | ~/Library/Application Support/Slack/storage/slack-downloads |
Slack_Team_Information | Dump out information saved about all teams the user has saved | ~/Library/Application Support/Slack/storage/slack-teams |
Recent_Files | List of 10 most recent applications accessed by the user. In 10.15 this now requires Full Disk Access permissions | ~/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentApplications.sfl2 |
Firewall | List out exempted programs, explicitly authed programs, and the state of certain firewall groups | /Library/Preferences/com.apple.alf.plist |
Airport_Preferences | Details about all WiFi networks you've connected to and which other ones were nearby that you also connected to | /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist |
SMB_Server | Kerberos Realm, NetBios name, Host description | /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist |
WiFi_Messages | List of WiFi association SSIDs | /Library/Preferences/SystemConfiguration/com.apple.wifi.message-tracer.plist |
Network_Interfaces | List of basic network interfaces, active, type, and user information | /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist |
Bluetooth_Connections | List of bluetooth connections, when they last connected, and what class of item/name | /Library/Preferences/com.apple.Bluetooth.plist |
OS_Version | Software build version, name, and normal version | /System/Library/CoreServices/SystemVersion.plist |
Forcepoint_DLP_Information | Returns Forcepoint Data Loss Prevention config, if present | /Library/Application Support/Websense Endpoint/DLP/DLPClient.plist |
Krb5_AD_Config | Returns Kerberos/AD config information, if present | /etc/krb5.conf |
Krb5_AD_Logging | Returns Kerberos logging configuration, if present | /Library/Preferences/com.apple.Kerberos.plist |
PaloaltoGlobalProtect | Returns Palo Alto Networks GlobalProtect config, if present | /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist |
AVEnum | Check existence of files/folders on disk and running processes for known EDR/AV products | |
All_Checks | Do all of the above checks | |
User_Preferences | Do all checks related to the user specifically | |
Global_Preferences | Do all checks related to global preferences that don't fall in ~/ |
Please open pull requests for new files you find to parse that provide useful information. If possible, please also include the file (or example of the file) if it's not a default Apple plist