2.2.1

README.md

@@ -2,7 +2,7 @@
 ![](https://github.com/jamf/aftermath/blob/main/AftermathLogo.png)
 
 
-![](https://img.shields.io/badge/release-2.2.0-bright%20green) ![](https://img.shields.io/badge/macOS-12.0%2B-blue) ![](https://img.shields.io/badge/license-MIT-orange)
+![](https://img.shields.io/badge/release-2.2.1-bright%20green) ![](https://img.shields.io/badge/macOS-12.0%2B-blue) ![](https://img.shields.io/badge/license-MIT-orange)
 
 
 ## About
@@ -66,6 +66,61 @@ tcc: process == "tccd"
 ### Note
 Because `eslogger` and `tcpdump` run on additional threads and the goal is to collect as much data from them as possible, they exit when aftermath exits. Because of this, the last line of the eslogger json file or the pcap file generated from tcpdump may be truncated.
 
+### File Collection List
+- Artifacts
+    - Configuration Profiles
+    - Log Files
+    - LSQuarantine Database
+    - Shell History and Profiles (bash, csh, fish, ksh, zsh)
+    - TCC Database
+    - XBS Database (XProtect Behabioral Service)
+- Filesystem
+    - Browser Data (Cookies, Downloads, Extensions, History)
+        - Arc
+        - Brave
+        - Chrome
+        - Edge
+        - Firefox
+        - Safari
+    - File Data
+        - Walk common directories to get accessed, birth, modified timestamps
+    - Slack
+- Memory
+    - Calculate data based on current memory usage, swap, etc.
+- Network
+    - Active network connections
+    - Airport Preferences
+- Persistence
+    - BTM Database
+    - Cron
+    - Emond
+    - Launch Items
+        - Launch Agents
+        - Launch Daemons
+    - Login Hooks
+    - Login Items
+    - Overrides
+        - launchd Overrides
+        - MDM Overrides
+    - Periodic Scripts
+    - System Extensions
+- Processes
+    - Leverage [TrueTree](https://github.com/themittenmac/TrueTree) to create process tree 
+- System Recon
+    - Environment Variables
+    - Install History
+    - Installed Applications
+    - Installed Users
+    - Interfaces
+    - MRT Version
+    - Running Applications
+    - Security Assessment (SIP status, Gatekeeper status, Firewall status, Filevault status, Remote Login, Airdrop status, I/O statistics, Screensharing status, Login History, Network Interface Parameters)
+    - XProtect Version
+    - XProtect Remediator (XPR) Version
+- Unified Logs
+    - Default Unified Logs (failed_sudo, login, manual_configuration_profile_install, screensharing, ssh, tcc, xprotect_remediator)
+    - Additional can be passed in at runtime
+
 ## Releases
 There is an Aftermath.pkg available under [Releases](https://github.com/jamf/aftermath/releases). This pkg is signed and notarized. It will install the aftermath binary at `/usr/local/bin/`. This would be the ideal way to deploy via MDM. Since this is installed in `bin`, you can then run aftermath like
 ```bash

aftermath/Command.swift

@@ -28,7 +28,7 @@ class Command {
     static var collectDirs: [String] = []
     static var unifiedLogsFile: String? = nil
     static var esLogs: [String] = ["create", "exec", "mmap"]
-    static let version: String = "2.2.0"
+    static let version: String = "2.2.1"
     static var disableFeatures: [String:Bool] = ["all": false, "browsers": false, "browser-killswitch": false, "databases": false, "filesystem": false, "proc-info": false, "slack": false, "ul": false]
 
     static func main() {

analysis/DatabaseParser.swift

@@ -328,6 +328,7 @@ class DatabaseParser: AftermathModule {
         case contacts_full = "kTCCServiceContactsFull"
         case contacts_limited = "kTCCServiceContactsLimited"
         case currentLocation = "kTCCServiceLocation"
+        case endpointSecurity = "kTCCServiceEndpointSecurityClient"
         case fileAccess = "kTCCServiceFileProviderDomain"
         case fileAccess_request = "kTCCServiceFileProviderPresence"
         case fitness = "kTCCServiceMotion"

libs/launchdXPC/launchdXPC.m

@@ -1,5 +1,5 @@
 //
-//  launchdXPC.c
+//  launchdXPC.m
 //  Created by Patrick Wardle
 //  Ported from code by Jonathan Levin
 //
@@ -367,7 +367,7 @@ hit up launchd (via XPC) to get process info
 
         //end key line? (line: "}")
         // remove dictionary, as it's no longer needed
-        if(YES == [obj hasSuffix:@"}"])
+        if(YES == [obj isEqualToString:@"}"])
         {
             //remove
             [dictionaries removeLastObject];

persistence/Overrides.swift

@@ -15,7 +15,7 @@ class Overrides: PersistenceModule {
         self.saveToRawDir = saveToRawDir
     }
 
-    func collectOverrides(urlLocations: [URL], capturedFile: URL) {
+    func collectLaunchdOverrides(urlLocations: [URL], capturedFile: URL) {
         for url in urlLocations {
             let plistDict = Aftermath.getPlistAsDict(atUrl: url)
 
@@ -25,14 +25,20 @@ class Overrides: PersistenceModule {
         }
     }
 
+    func collectMdmOverrides(path: String) {
+        self.copyFileToCase(fileToCopy: URL(fileURLWithPath: path), toLocation: moduleDirRoot)
+    }
+
     override func run() {
-        self.log("Collecting overrides...")
+        self.log("Collecting all overrides...")
 
+        // launchd overrides
         let capturedOverridesFile = self.createNewCaseFile(dirUrl: moduleDirRoot, filename: "overrides.txt")
-
         let overrides = filemanager.filesInDirRecursive(path: "/var/db/launchd.db/com.apple.launchd/")
+        collectLaunchdOverrides(urlLocations: overrides, capturedFile: capturedOverridesFile)
 
-        collectOverrides(urlLocations: overrides, capturedFile: capturedOverridesFile)
-
+        // mdm overrides
+        let mdmOverridesFile = "/Library/Application Support/com.apple.TCC/MDMOverrides.plist"
+        collectMdmOverrides(path: mdmOverridesFile)
     }
 }