Skip to content


Latest commit



59 lines (50 loc) · 6.21 KB

File metadata and controls

59 lines (50 loc) · 6.21 KB


JXA situational awareness helper by simply reading specific files on a filesystem


Health Inspector is designed to help provide some additional situation awareness for operations on macOS by doing a lot of discovery by simply reading PLIST files or other files on disk that any user can read. I wanted to find another way to do discovery in JXA and macOS in general without having to spawn a bunch of bash commands.


To run the functions within HealthInspector with Apfell, use the jsimport and jsimport_call functions within the apfell-jxa payload. When you run jsimport_call be sure to specify the function you want to execute afterwards, such as: jsimport_call All_Checks().

If you want to execute this outside of an Apfell apfell-jxa payload, you can execute it with osascript: osascript HealthInspector.js. You will need to append to the bottom of the script the function you want to call though. The script itself is just a list of functions.

A lot of these functions are user specific. If you're running as root or another user and want to get this information for a specific user, simply supply the username to the function call as follows: jsimport_call All_Checks({user: "itsafeature"});

Current Functions

The current list of functions and associated files is below:

Function Description Plist
Persistent_Dock_Apps List what applications are persistently docked (including folders) ~/Library/Preferences/
Spaces_Check How many desktops are there for the user and which one is currently active ~/Library/Preferences/
Get_Office_Email Get the user's office activation email ~/Library/Preferences/
Saved_Printers Get information about printers (name and IP) ~/Library/Preferences/org.cups.PrintingPrefs.plist
Finder_Preferences Recent folders, show hidden files, recent move/copy destination, GoTo destinations, prior mounted volumes, etc ~/Library/Preferences/
Launch_Services Mappings of programs to URL schemas and programs to file extensions ~/Library/Preferences/
Universal_Access_Auth_Warning List of programs that have caused a universal access prompt ~/Library/Preferences/
Relaunch_At_Login Applications that are open now and will potentially be re-opened after reboot ~/Library/Preferences/ByHost/*
Login_Items Login Items ~/Library/Preferences/
User_Dir_Hidden_Files_Folders Look for all hidden files and folders in the user's home directory ~/
User_Global_Preferences Show all extensions, finder extensions, recent places, and default browser ~/Library/Preferences/.GlobalPreferences.plist
User_Launchagents Information about the user's launch agents (if any exist) ~/Library/LaunchAgents/*
User_Launchdaemons Information about the user's launch daemons (if any exist) ~/Library/LaunchDaemons/*
System_Launchdaemons Information about the system's launch daemons /Library/LaunchDaemons/*
Installed_Software_Versions Installed software versions, install date, and process name /Library/Receipts/InstallHistory.plist
Unique_Bash_History_Sessions Reads all these files into a Set (which removes duplicates) and returns a list of all unique commands run ~/.bash_sessions/*, ~/.bash_history, ~/.zsh_history
SSH_Keys Dump of all files in this folder ~/.ssh/*
Slack_Download_Cache_History List out all Slack downloads and where they were saved to ~/Library/Application Support/Slack/storage/slack-downloads
Slack_Team_Information Dump out information saved about all teams the user has saved ~/Library/Application Support/Slack/storage/slack-teams
Recent_Files List of 10 most recent applications accessed by the user. In 10.15 this now requires Full Disk Access permissions ~/Library/Application Support/
Firewall List out exempted programs, explicitly authed programs, and the state of certain firewall groups /Library/Preferences/
Airport_Preferences Details about all WiFi networks you've connected to and which other ones were nearby that you also connected to /Library/Preferences/SystemConfiguration/
SMB_Server Kerberos Realm, NetBios name, Host description /Library/Preferences/SystemConfiguration/
WiFi_Messages List of WiFi association SSIDs /Library/Preferences/SystemConfiguration/
Network_Interfaces List of basic network interfaces, active, type, and user information /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
Bluetooth_Connections List of bluetooth connections, when they last connected, and what class of item/name /Library/Preferences/
OS_Version Software build version, name, and normal version /System/Library/CoreServices/SystemVersion.plist
Forcepoint_DLP_Information Returns Forcepoint Data Loss Prevention config, if present /Library/Application Support/Websense Endpoint/DLP/DLPClient.plist
Krb5_AD_Config Returns Kerberos/AD config information, if present /etc/krb5.conf
Krb5_AD_Logging Returns Kerberos logging configuration, if present /Library/Preferences/
PaloaltoGlobalProtect Returns Palo Alto Networks GlobalProtect config, if present /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
AVEnum Check existence of files/folders on disk and running processes for known EDR/AV products
All_Checks Do all of the above checks
User_Preferences Do all checks related to the user specifically
Global_Preferences Do all checks related to global preferences that don't fall in ~/


Please open pull requests for new files you find to parse that provide useful information. If possible, please also include the file (or example of the file) if it's not a default Apple plist