EXPLORE
← Back to Explore
jamf_protectinformationalTTP

User Privilege Escalation by dseditgroup and Self Service

This detection functions by monitoring for process creation with a binary carrying the signing information of 'com.apple.dseditgroup', a command-line argument of '-o edit -a' (required to escalate privileges with this binary) and with the parent process originating from the Jamf Pro management framework's application support directory.

Detection Query

$event.type == 1 AND $event.process.signingInfo.appid == "com.apple.dseditgroup" AND $event.process.commandLine CONTAINS[cd] "-o edit -a" AND $event.process.parent.commandLine CONTAINS "/Library/Application Support/JAMF/"

Author

Jamf

Data Sources

Process EventsmacOS Endpoint Security

Platforms

macos

Tags

Visibility
Raw Content
---
name: UserPrivilegeEscalationByDseditgroupAndSelfService
uuid: dbe9308f-ca10-4201-aac1-8aa1d57aa8c8
longDescription: This detection functions by monitoring for process creation with a binary carrying the signing information of 'com.apple.dseditgroup', a command-line argument of '-o edit -a' (required to escalate privileges with this binary) and with the parent process originating from the Jamf Pro management framework's application support directory.
level: 0
inputType: GPProcessEvent
tags:
snapshotFiles: []
filter: $event.type == 1 AND
  $event.process.signingInfo.appid == "com.apple.dseditgroup" AND
  $event.process.commandLine CONTAINS[cd] "-o edit -a" AND
  $event.process.parent.commandLine CONTAINS "/Library/Application Support/JAMF/"
actions:
  - name: Log
context: []
categories:
  - Visibility
version: 1
severity: Informational
shortDescription: A users privileges have been escalated.
label: User Privilege Escalation by dseditgroup and Self Service
remediation: null
MitreCategories: null