EXPLORE
← Back to Explore
jamf_protectinformationalTTP

Jamf Connect Acc Promo Activity

This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.jamf.connect.tool' and process arguments containing "acc-promo --elevate".

Detection Query

event.process.signingInfo.appid == "com.jamf.connect.tool" AND $event.type == 1 AND $event.process.args.@count > 0 AND ((ANY $event.process.args == "acc-promo") AND (ANY $event.process.args == "--elevate")) AND $event.process.responsible.signingInfo.teamid != "483DWKW443" AND $event.process.tty == nil

Author

Jamf

Data Sources

Process EventsmacOS Endpoint Security

Platforms

macos

Tags

VisibilityJamf ConnectPrivilegeEscalation
Raw Content
---
name: JamfConnectAccPromoActivity
uuid: caa020a3-03b1-4667-8401-0b0a426e523f
longDescription: This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.jamf.connect.tool' and process arguments containing "acc-promo --elevate".
level: 0
inputType: GPProcessEvent
tags: null
snapshotFiles: []
filter: event.process.signingInfo.appid == "com.jamf.connect.tool" AND
  $event.type == 1 AND
  $event.process.args.@count > 0 AND
  ((ANY $event.process.args == "acc-promo") AND (ANY $event.process.args == "--elevate")) AND
  $event.process.responsible.signingInfo.teamid != "483DWKW443" AND
  $event.process.tty == nil
actions:
  - name: Log
context: []
categories:
  - Visibility
  - Jamf Connect
version: 1
severity: Informational
shortDescription: A user privileges has escalated through the Jamf Connect commandline utility.
label: Jamf Connect Acc Promo Activity
remediation: null
MitreCategories:
  - PrivilegeEscalation