https://github.com/osquery/osquery logo
Powered by
#macos
Title
# macos
c

CptOfEvilMinions

03/20/2020, 4:42 PM
To get the system proxy on macOS here a query: 
SELECT subkey, value FROM plist WHERE path='/Library/Preferences/SystemConfiguration/preferences.plist' AND key='NetworkServices' AND subkey like '%HTTP%P%' AND value != '';
which will produce:
Copy code
+---------------------------------------------------------+---------+
| subkey                                                  | value   |
+---------------------------------------------------------+---------+
| Proxies/HTTPPort                                        | 5555    |
| Proxies/HTTPSProxy                                      | 1.1.1.1 |
| Proxies/HTTPSPort                                       | 5555    |
| Proxies/HTTPProxy                                       | 1.1.1.1 |
+---------------------------------------------------------+---------+
query: 
SELECT DISTINCT p.pid, x.name, x.cmdline, p.local_port FROM process_open_sockets as p JOIN plist as l ON p.local_port=l.value JOIN processes as x ON p.pid=x.pid WHERE l.path='/Library/Preferences/SystemConfiguration/preferences.plist' AND l.key='NetworkServices' AND l.subkey like '%HTTP%Port' AND l.value != '';
which will produce:
Copy code
+-------+------+------------+------------+
| pid   | name | cmdline    | local_port |
+-------+------+------------+------------+
| 19821 | nc   | nc -l 5555 | 5555       |
+-------+------+------------+------------+
s

seph

03/21/2020, 1:35 AM
I found working with 
plist
to be a bit buggy. It drops some data in handling arrays-of-maps. 
kolide_plist
may handle it better
kolide_plist will let you losslessly retrieve the data, which means you can then run it through an EAV style pivot.
6 Views
Powered by