EXPLORE
← Back to Explore
jamf_protectinformationalTTP

Adhoc Codesigning

The codesign utility has been executed to locally ad-hoc codesign a binary.

Detection Query

$event.type == 1 AND $event.process.signingInfo.appid == "com.apple.security.codesign" AND $event.process.args.@count > 0 AND ((ANY $event.process.args IN {"--sign", "-s"}) AND(ANY $event.process.args == "-"))

Author

Jamf

Data Sources

Process EventsmacOS Endpoint Security

Platforms

macos

Tags

Visibility
Raw Content
---
name: AdhocCodesigning
uuid: 51cb46e3-8ee4-4a2f-a019-83ba46f5f42a
longDescription: The codesign utility has been executed to locally ad-hoc codesign a binary.
level: 0
inputType: GPProcessEvent
tags: null
snapshotFiles: []
filter: $event.type == 1 AND 
  $event.process.signingInfo.appid == "com.apple.security.codesign" AND
  $event.process.args.@count > 0 AND ((ANY $event.process.args IN {"--sign", "-s"}) AND(ANY $event.process.args == "-"))
actions:
  - name: Log
context:
  - exprs:
      - (event.process.args)[LAST]
    name: Ad-hoc signed App Bundle
    type: File
  - exprs:
      - (event.process.args)[LAST].file.signingInfo.cdhash.hexString
    name: Bundle CDHash
    type: String
  - exprs:
      - (event.process.args)[LAST].file.sha1hex
    name: Executable - SHA1HEX
    type: String
  - exprs:
      - event.file.contentsAsDict.Label
    name: Label
    type: String
  - exprs:
      - (event.process.args)[LAST].file.sha256hex
    name: Executable - SHA256HEX
    type: String
categories:
  - Visibility
version: 1
severity: Informational
shortDescription: Adhoc Codesigning
label: Adhoc Codesigning
remediation: Review the binary that has been ad-hoc signed and determine if it's unsafe.
MitreCategories:
  - Visibility