← Back to Explore
jamf_protectinformationalTTP
User Switched on Commandline
This detection functions by monitoring for su processes created that have an associated TTY and are determined to be created through a fully interactive shell, such as those from a Terminal session.
Detection Query
$event.type == 1 AND $event.process.tty != nil AND $event.process.signingInfo.appid == "com.apple.su"Author
Jamf
Data Sources
Process EventsmacOS Endpoint Security
Platforms
macos
Tags
Visibility
Raw Content
---
name: UserSwitchedOnCommandline
uuid: 90de5c96-125f-40de-b1a5-2cada0896c43
longDescription: This detection functions by monitoring for su processes created that have an associated TTY and are determined to be created through a fully interactive shell, such as those from a Terminal session.
level: 0
inputType: GPProcessEvent
tags:
snapshotFiles: []
filter: $event.type == 1 AND
$event.process.tty != nil AND
$event.process.signingInfo.appid == "com.apple.su"
actions:
- name: Log
context: []
categories:
- Visibility
version: 1
severity: Informational
shortDescription: A user switched on the commandline using the su binary.
label: User Switched on Commandline
remediation: null
MitreCategories: null