This artifact looks for recent Wifi networks to which a host has joined. This can be useful in determining where a machine has been, or if a user has joined an illegitimate or unauthorized wireless network. *Tested on macOS Monterey
name: MacOS.Network.RecentWifiNetworks
description:
This artifact looks for recent Wifi networks to which a host has joined. This can be useful in determining where a machine has been, or if a user has joined an illegitimate or unauthorized wireless network.
*Tested on macOS Monterey
type: CLIENT
author: Wes Lambert - @therealwlambert
parameters:
- name: RecentWifiNetworksGlob
default: /Library/Logs/com.apple.wifi.recent-networks.json
precondition:
SELECT OS From info() where OS = 'darwin'
sources:
- query: |
LET RecentNetworksLocation = SELECT OSPath from glob(globs=RecentWifiNetworksGlob)
LET RecentNetworks = SELECT parse_json(data=read_file(filename=OSPath)) AS RN FROM RecentNetworksLocation
LET EachNetwork = SELECT * from foreach(
row=RecentNetworks,
query={
SELECT _key AS Network, _value AS Value
FROM items(item=RN)
}
)
SELECT Network AS Network,
base64decode(string=Value.SSID) AS SSID,
Value.AddReason AS AddReason,
Value.AddedAt AS AddedAt,
Value.UpdatedAt AS UpdatedAt,
Value.JoinedByUserAt AS JoinedByUserAt,
Value.JoinedBySystemAt AS JoinedBySystemAt,
Value.SupportedSecurityTypes AS SupportedSecurityTypes,
Value.Hidden AS Hidden,
Value.SystemMode AS SystemMode,
Value.CaptiveProfile.CaptiveNetwork AS CaptiveNetwork,
Value.__OSSpecific__.ChannelHistory AS ChannelHistory,
Value.__OSSpecific__.CollocatedGroup AS _CollocatedGroup,
Value.PasspointSPRoamingEnabled AS _PasspointSPRoamingEnabled,
Value AS _Data
FROM EachNetwork