EXPLORE DETECTIONS
Gatekeeper Configuration Changes
This detection functions by monitoring for usage of the spctl binary used with specific binary verbs that reduce or entirely disable the security provided by Gatekeeper.
Generic File Copied to Remote Destination
This detection functions by monitoring when scp, sftp or rsync is used to copy a file to a remote destination.
Hidden Account Created DSCL
This detection functions by monitoring on attempts using dcsl to create accounts that are hidden from the login window.
Host File modification
This detection functions by monitoring for modifications made to the /etc/hosts file path.
Installer Initiated Network Connection
This detection functions by monitoring for the process creation involving curl or nscurl where the responsible process is Installer and the parent process is a shell.
Jamf Connect Acc Promo Activity
This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.jamf.connect.tool' and process arguments containing "acc-promo --elevate".
Kernel Panic Occured
This detection functions by monitoring for the deletion of the current.panic files. NOTE: The current.panic file is initially written to disk when Jamf Protect is not actively running after the device kernel panics, when the machine is rebooting and before the Protect system extension is enabled. This file is subsequently deleted after the user gets to the login window. This is when Protect will trigger on this event. If the machine does not restart or the kernel panic causes memory corruption that prevents the machine from rebooting or powering on, this detection will not trigger.
Keychain Copied
This detection functions by monitoring for process activity using the mv, ditto or cp binaries to copy .keychain-db files over to other locations, in case of a healthy keychain this should not happen.
Keychain Dumped
This detection functions by monitoring for process creation involving binaries carrying the signing information of 'com.apple.security' and using the parameters "dump-keychain".
Known Vulnerable Log4j Jar Installation
This detection functions by monitoring for .jar files created on the host system that are known to be vulnerable to log4shell-related attacks.
Launchctl Unload and Bootout
This detection functions by monitoring for processes created by the launchctl binary where a process argument contains the 'unload' or 'bootout' arguments.
LaunchDaemon Deleted
This detection functions by monitoring for deletion events on any files within known file paths for LaunchDaemons.
Lockscreen Check
This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.zgrep' or 'com.apple.grep', a process group leader carrying the signing information of 'com.apple.ioreg', and a process argument containing "CGSSession".
Mdfind Search AWS Keys
This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.mdfind' and process arguments containing "*AKIA*".
Mitmproxy Activity
This detection functions by monitoring for when mitmproxy process is launched to potentially acts as a “middle man” between the server and the client.
Nmap Scan Activity
This detection functions by monitoring for process activity using the nmap binary to process arguments containing "-sS -sV -Pn {IPRANGE} -p {PORTS}".
OpenClaw directory created
Detection of OpenClaw's hidden directory, created during setup.
OpenClaw gateway persistence
Detection of OpenClaw's gateway persistence (~/Library/LaunchAgents/ai.openclaw.gateway.plist).
OpenClaw installation
Detection of OpenClaw installation commands from openclaw.ai.
OpenClaw Onboard Command Activity
Detection of OpenClaw onboard command to initiate setup.
OpenClaw skills installation
Detection of skills installed from Clawhub via npx command.
Packet Filter Modification
This detection functions by monitoring for processes created with a binary carrying the com.apple.pfctl identifier and have a process argument containing one of the following arguments "-F all" "-d" "-e -f" "-e".
Printer Activity
This detection functions by monitoring for process creation involving binaries carrying the signing information of 'com.apple.socket', 'com.apple.ipp', 'com.apple.lpd', or 'com.apple.usb' with a responsible process creation involving a binary carrying the signing info of 'com.apple.cupsd'.
Process Executions from Volumes
This detection functions by monitoring for process executions from within the /Volumes/ directory.