EXPLORE

EXPLORE DETECTIONS

🔍
80 detections found

Root User Enabled or Password Changed

This detection functions by monitoring for expected changes made to the /var/db/dslocal/nodes/Default/users/root.plist file when these events occur.

Jamf Protectlow

SAP Privileges Elevation

This detection functions by monitoring and report when an end-user has used Privileges.app to elevate administrator or demote to standard user, this alternative can be used if Unified Logging is not an option.

Jamf Protectinformational

SCP File Copied to Remote Destination

This detection functions by monitoring and reporting when scp is used to copy a file to a remote destination.

Jamf Protectinformational

SFLTool Activity

This detection functions by monitoring and report when sfltool is being used to either dump the BackgroundTaskManagement to identify all current login and background items configured on the system or reset all third-party Login Items and revert to installation defaults.

Jamf Protectinformational

Smartcard Filevault Disabled

This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth filevault -o fvdisable -u <user> -h <hash>.

Jamf Protectinformational

Smartcard Filevault Enabled

This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth filevault -o fvenable -u <user> -h <hash>.

Jamf Protectinformational

Smartcard Identity Paired

This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth pair -u <user> -h <hash>.

Jamf Protectinformational

Smartcard Identity Unpaired

This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth unpair -u <user> -h <hash>.

Jamf Protectinformational

Smartcard Pin Changed

This detection functions by monitoring the pivpin process in macOS when a user runs /usr/sbin/sc_auth changepin.

Jamf Protectinformational

Smartcard Pin Verified

This detection functions by monitoring the pivpin process in macOS when a user runs /usr/sbin/sc_auth verifypin.

Jamf Protectinformational

SMB Mounted via Commandline

This detection functions by monitoring and report on various attempts to mount SMB shares via the command line.

Jamf Protectinformational

SQLite3 Downloads

This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.sqlite3' and process arguments containing "com.apple.LaunchServices.QuarantineEventsV" and "LSQuarantineEvent".

T1059T1218
Jamf Protectinformational

SQLite3 Full Disk Access

This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.sqlite3' and process arguments containing "tcc.db" and "kTCCServiceSystemPolicyAllFiles".

T1059T1218
Jamf Protectinformational

Swift Oneline Command Execution

This detection functions by monitoring and report when the swift CLI is used to execute a arbitrary command using the -e argument that has been implemented in Swift 5.8.

T1059T1218
Jamf Protectinformational

Sysctl Activity

This detection functions by monitoring process creation involving a binary carrying the signing information of 'com.apple.sysctl' that have an associated TTY.

T1059T1218
Jamf Protectinformational

System Profiler Activity

This detection functions by monitoring process creation involving a process path where the last path component is system_profiler, No TTY is assigned and at least one argument is provided that matches "SPHardwareDataType"

T1059T1218
Jamf Protectinformational

Systemsetup Activity

This detection functions by monitoring and report when systemsetup is being used to either either enable or disable remotelogin or appleremoteevents, systemsetup can be used to enable SSH for remote login but also can be used to enable Remote Apple Events.

Jamf Protectinformational

Terminal Persistency

This detection functions by monitoring and report when a shell command has been configured in the Terminal preferences, a tactic an adversary might employ for persistence. Specifically, this command then executes every time a Terminal session starts.

T1059T1218
Jamf Protectlow

Threat Prevention File Quarantine

This detection functions by monitoring for new file creations in the Jamf Protect file quarantine directory /Library/Application Support/JamfProtect/Quarantine.

Jamf Protectinformational

Time Machine Not Encrypted

This detection functions by monitoring and report when a Time Machine is configured and the last known encryption state is not encrypted.

Jamf Protectinformational

TMUtil Activity

This detection functions by monitoring and report when tmutil is utilized outside of an interactive command line for specific purposes, either to delete all local snapshots using the deletelocalsnapshots argument with / as the mount point, or when the delete argument is used to remove a Time Machine backup from an external volume. Such actions could potentially indicate adversarial behavior, as an attacker might perform these operations to impede file restoration by the victim in the event of a ransomware attack.

T1059T1218
Jamf Protectlow

Unsigned Dmg Detected

This detection functions by monitoring and report on dmg files being created where the object is not signed and not created by Disk Utility.

Jamf Protectlow

Unsigned Keylogger Registered

This detection functions by monitoring for keylogger registration events where the signing information of the keylogger is unable to be obtained or verified.

Jamf Protectmedium

Unsigned Process Execution from Volumes

This detection functions by monitoring and report into unsigned processes executions from within the /Volumes/ directory.

Jamf Protectinformational
PreviousPage 3 of 4Next