This artifact looks for applications that are registered and allowed for use of location services by checking the plist file in /var/db/locationd/clients.plist.
This can be useful to help determine if these settings have been modified by an attacker to perform location tracking.
For more information about how location services could be abused, see the following:
name: MacOS.System.LocationServices
description: |
This artifact looks for applications that are registered and allowed for use of location services by checking the plist file in `/var/db/locationd/clients.plist`.
This can be useful to help determine if these settings have been modified by an attacker to perform location tracking.
For more information about how location services could be abused, see the following:
https://medium.com/@slyd0g/where-in-the-world-is-carmen-sandiego-abusing-location-services-on-macos-10e9f4eefb71
type: CLIENT
author: Wes Lambert - @therealwlambert
parameters:
- name: LocationPath
default: /var/db/locationd/clients.plist
precondition:
SELECT OS From info() where OS = 'darwin'
sources:
- query: |
LET LocGlob <= SELECT FullPath FROM glob(globs=LocationPath)
LET LocationPlist = SELECT * FROM plist(file=LocGlob.FullPath)
LET SepApps = SELECT * FROM foreach(row={SELECT _value AS Apps FROM items(item=LocationPlist)}, query={SELECT _value AS App FROM items(item=Apps)})
SELECT
App.BundleId AS BundleId,
App.BundlePath As BundlePath,
App.Whitelisted AS Whitelisted,
App.Authorized AS Authorized,
App.Hide AS Hide,
App.Registered As Registered,
App.Requirement AS Requirement,
App AS _Data
FROM SepApps