EXPLORE

EXPLORE DETECTIONS

🔍
80 detections found

Gatekeeper Configuration Changes

This detection functions by monitoring for usage of the spctl binary used with specific binary verbs that reduce or entirely disable the security provided by Gatekeeper.

Jamf Protectlow

Generic File Copied to Remote Destination

This detection functions by monitoring when scp, sftp or rsync is used to copy a file to a remote destination.

Jamf Protectinformational

Hidden Account Created DSCL

This detection functions by monitoring on attempts using dcsl to create accounts that are hidden from the login window.

Jamf Protectinformational

Host File modification

This detection functions by monitoring for modifications made to the /etc/hosts file path.

Jamf Protectinformational

Installer Initiated Network Connection

This detection functions by monitoring for the process creation involving curl or nscurl where the responsible process is Installer and the parent process is a shell.

Jamf Protectinformational

Jamf Connect Acc Promo Activity

This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.jamf.connect.tool' and process arguments containing "acc-promo --elevate".

Jamf Protectinformational

Kernel Panic Occured

This detection functions by monitoring for the deletion of the current.panic files. NOTE: The current.panic file is initially written to disk when Jamf Protect is not actively running after the device kernel panics, when the machine is rebooting and before the Protect system extension is enabled. This file is subsequently deleted after the user gets to the login window. This is when Protect will trigger on this event. If the machine does not restart or the kernel panic causes memory corruption that prevents the machine from rebooting or powering on, this detection will not trigger.

Jamf Protectinformational

Keychain Copied

This detection functions by monitoring for process activity using the mv, ditto or cp binaries to copy .keychain-db files over to other locations, in case of a healthy keychain this should not happen.

Jamf Protectinformational

Keychain Dumped

This detection functions by monitoring for process creation involving binaries carrying the signing information of 'com.apple.security' and using the parameters "dump-keychain".

Jamf Protectinformational

Known Vulnerable Log4j Jar Installation

This detection functions by monitoring for .jar files created on the host system that are known to be vulnerable to log4shell-related attacks.

Jamf Protectinformational

Launchctl Unload and Bootout

This detection functions by monitoring for processes created by the launchctl binary where a process argument contains the 'unload' or 'bootout' arguments.

Jamf Protectinformational

LaunchDaemon Deleted

This detection functions by monitoring for deletion events on any files within known file paths for LaunchDaemons.

Jamf Protectinformational

Lockscreen Check

This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.zgrep' or 'com.apple.grep', a process group leader carrying the signing information of 'com.apple.ioreg', and a process argument containing "CGSSession".

T1059T1218
Jamf Protectinformational

Mdfind Search AWS Keys

This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.mdfind' and process arguments containing "*AKIA*".

T1059T1218
Jamf Protectinformational

Mitmproxy Activity

This detection functions by monitoring for when mitmproxy process is launched to potentially acts as a “middle man” between the server and the client.

T1557
Jamf Protectinformational

Nmap Scan Activity

This detection functions by monitoring for process activity using the nmap binary to process arguments containing "-sS -sV -Pn {IPRANGE} -p {PORTS}".

Jamf Protectinformational

OpenClaw directory created

Detection of OpenClaw's hidden directory, created during setup.

Jamf Protectinformational

OpenClaw gateway persistence

Detection of OpenClaw's gateway persistence (~/Library/LaunchAgents/ai.openclaw.gateway.plist).

Jamf Protectinformational

OpenClaw installation

Detection of OpenClaw installation commands from openclaw.ai.

Jamf Protectinformational

OpenClaw Onboard Command Activity

Detection of OpenClaw onboard command to initiate setup.

Jamf Protectinformational

OpenClaw skills installation

Detection of skills installed from Clawhub via npx command.

Jamf Protectinformational

Packet Filter Modification

This detection functions by monitoring for processes created with a binary carrying the com.apple.pfctl identifier and have a process argument containing one of the following arguments "-F all" "-d" "-e -f" "-e".

Jamf Protectinformational

Printer Activity

This detection functions by monitoring for process creation involving binaries carrying the signing information of 'com.apple.socket', 'com.apple.ipp', 'com.apple.lpd', or 'com.apple.usb' with a responsible process creation involving a binary carrying the signing info of 'com.apple.cupsd'.

Jamf Protectinformational

Process Executions from Volumes

This detection functions by monitoring for process executions from within the /Volumes/ directory.

Jamf Protectinformational
PreviousPage 2 of 4Next