EXPLORE
← Back to Explore
jamf_protectlowTTP

Application Firewall Configuration Changes

This detection functions by monitoring for usage of the socketfilterfw binary used with specific binary verbs that reduce or entirely disable the security provided by the Application Firewall.

Detection Query

$event.type == 1 AND $event.process.signingInfo.appid == "com.apple.socketfilterfw" AND $event.process.args.@count > 0 AND (((ANY $event.process.args  IN {"--setglobalstate", "--setloggingmode", "--setblockall"}) AND (ANY $event.process.args == "off")) OR (ANY $event.process.args IN {"--unblockapp", "--remove"}))

Author

Jamf

Data Sources

Process EventsmacOS Endpoint Security

Platforms

macos

Tags

VisibilitySystem Changes
Raw Content
---
name: ApplicationFirewallConfigChanges
uuid: f501f7d7-b89d-4eca-a972-a17539d71a11
longDescription: This detection functions by monitoring for usage of the socketfilterfw binary used with specific binary verbs that reduce or entirely disable the security provided by the Application Firewall.
level: 0
inputType: GPProcessEvent
tags: null
snapshotFiles: []
filter: $event.type == 1 AND 
  $event.process.signingInfo.appid == "com.apple.socketfilterfw" AND 
  $event.process.args.@count > 0 AND
  (((ANY $event.process.args  IN {"--setglobalstate", "--setloggingmode", "--setblockall"}) AND (ANY $event.process.args == "off")) OR (ANY $event.process.args IN {"--unblockapp", "--remove"}))
actions:
  - name: Log
context: []
categories:
  - Visibility
  - System Changes
version: 1
severity: Low
shortDescription: The socketfilterfw binary has been used to make changes to the application firewall.
label: Application Firewall Configuration Changes
remediation: null
MitreCategories: null