To get the system proxy on macOS here a query `SELECT subkey osquery #macos

To get the system proxy on macOS here a query: `SE...

CptOfEvilMinions

03/20/2020, 4:42 PM

To get the system proxy on macOS here a query:

SELECT subkey, value FROM plist WHERE path='/Library/Preferences/SystemConfiguration/preferences.plist' AND key='NetworkServices' AND subkey like '%HTTP%P%' AND value != '';

which will produce:

Copy code

+---------------------------------------------------------+---------+
| subkey                                                  | value   |
+---------------------------------------------------------+---------+
| Proxies/HTTPPort                                        | 5555    |
| Proxies/HTTPSProxy                                      | 1.1.1.1 |
| Proxies/HTTPSPort                                       | 5555    |
| Proxies/HTTPProxy                                       | 1.1.1.1 |
+---------------------------------------------------------+---------+

query:

SELECT DISTINCT p.pid, x.name, x.cmdline, p.local_port FROM process_open_sockets as p JOIN plist as l ON p.local_port=l.value JOIN processes as x ON p.pid=x.pid WHERE l.path='/Library/Preferences/SystemConfiguration/preferences.plist' AND l.key='NetworkServices' AND l.subkey like '%HTTP%Port' AND l.value != '';

which will produce:

Copy code

+-------+------+------------+------------+
| pid   | name | cmdline    | local_port |
+-------+------+------------+------------+
| 19821 | nc   | nc -l 5555 | 5555       |
+-------+------+------------+------------+

seph

03/21/2020, 1:35 AM

I found working with

plist

to be a bit buggy. It drops some data in handling arrays-of-maps.

kolide_plist

may handle it better

seph

03/21/2020, 1:38 AM

kolide_plist will let you losslessly retrieve the data, which means you can then run it through an EAV style pivot.

6 Views

Open in Slack

Previous Next