EXPLORE DETECTIONS
Root User Enabled or Password Changed
This detection functions by monitoring for expected changes made to the /var/db/dslocal/nodes/Default/users/root.plist file when these events occur.
SAP Privileges Elevation
This detection functions by monitoring and report when an end-user has used Privileges.app to elevate administrator or demote to standard user, this alternative can be used if Unified Logging is not an option.
SCP File Copied to Remote Destination
This detection functions by monitoring and reporting when scp is used to copy a file to a remote destination.
SFLTool Activity
This detection functions by monitoring and report when sfltool is being used to either dump the BackgroundTaskManagement to identify all current login and background items configured on the system or reset all third-party Login Items and revert to installation defaults.
Smartcard Filevault Disabled
This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth filevault -o fvdisable -u <user> -h <hash>.
Smartcard Filevault Enabled
This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth filevault -o fvenable -u <user> -h <hash>.
Smartcard Identity Paired
This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth pair -u <user> -h <hash>.
Smartcard Identity Unpaired
This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth unpair -u <user> -h <hash>.
Smartcard Pin Changed
This detection functions by monitoring the pivpin process in macOS when a user runs /usr/sbin/sc_auth changepin.
Smartcard Pin Verified
This detection functions by monitoring the pivpin process in macOS when a user runs /usr/sbin/sc_auth verifypin.
SMB Mounted via Commandline
This detection functions by monitoring and report on various attempts to mount SMB shares via the command line.
SQLite3 Downloads
This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.sqlite3' and process arguments containing "com.apple.LaunchServices.QuarantineEventsV" and "LSQuarantineEvent".
SQLite3 Full Disk Access
This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.sqlite3' and process arguments containing "tcc.db" and "kTCCServiceSystemPolicyAllFiles".
Swift Oneline Command Execution
This detection functions by monitoring and report when the swift CLI is used to execute a arbitrary command using the -e argument that has been implemented in Swift 5.8.
Sysctl Activity
This detection functions by monitoring process creation involving a binary carrying the signing information of 'com.apple.sysctl' that have an associated TTY.
System Profiler Activity
This detection functions by monitoring process creation involving a process path where the last path component is system_profiler, No TTY is assigned and at least one argument is provided that matches "SPHardwareDataType"
Systemsetup Activity
This detection functions by monitoring and report when systemsetup is being used to either either enable or disable remotelogin or appleremoteevents, systemsetup can be used to enable SSH for remote login but also can be used to enable Remote Apple Events.
Terminal Persistency
This detection functions by monitoring and report when a shell command has been configured in the Terminal preferences, a tactic an adversary might employ for persistence. Specifically, this command then executes every time a Terminal session starts.
Threat Prevention File Quarantine
This detection functions by monitoring for new file creations in the Jamf Protect file quarantine directory /Library/Application Support/JamfProtect/Quarantine.
Time Machine Not Encrypted
This detection functions by monitoring and report when a Time Machine is configured and the last known encryption state is not encrypted.
TMUtil Activity
This detection functions by monitoring and report when tmutil is utilized outside of an interactive command line for specific purposes, either to delete all local snapshots using the deletelocalsnapshots argument with / as the mount point, or when the delete argument is used to remove a Time Machine backup from an external volume. Such actions could potentially indicate adversarial behavior, as an attacker might perform these operations to impede file restoration by the victim in the event of a ransomware attack.
Unsigned Dmg Detected
This detection functions by monitoring and report on dmg files being created where the object is not signed and not created by Disk Utility.
Unsigned Keylogger Registered
This detection functions by monitoring for keylogger registration events where the signing information of the keylogger is unable to be obtained or verified.
Unsigned Process Execution from Volumes
This detection functions by monitoring and report into unsigned processes executions from within the /Volumes/ directory.