EXPLORE

EXPLORE DETECTIONS

🔍
80 detections found

Adhoc Codesigning

The codesign utility has been executed to locally ad-hoc codesign a binary.

Jamf Protectinformational

Airdrop Inbound

A file has been created by the sharingd service.

Jamf Protectinformational

All commandline activity

Activity on the commandline has been detected.

Jamf Protectinformational

All commandline activity

Sudo activity on the commandline has been detected.

Jamf Protectinformational

All curl activity

Curl activity has been detected.

Jamf Protectinformational

App Bundle First Open

This detection functions by monitoring for the creation of new directories on the OS containing .app in the name and within the directory used for App Translocation.

Jamf Protectinformational

AppleScript Clipboard Activity

This detection functions by monitoring for when AppleScript is being used to potentially gather clipboard contents over a defined time period or to generate a dialogue box and request the user to enter the keychain password.

T1059T1218
Jamf Protectinformational

AppleScript Dialog Activity

This detection functions by monitoring for when AppleScript is being used to display a dialog and capturing user input with specific arguments that link to the keychain or the users password.

T1059T1218
Jamf Protectinformational

AppleScript System Info Activity

This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.osascript' and process arguments containing "system info".

Jamf Protectinformational

Application Bundle Installed

This detection functions by monitoring for the creation of new directories on the OS that contain a .app extension and are not created in either a Trash or the application sandbox directory.

Jamf Protectinformational

Application Bundle Trashed

This detection functions by monitoring for the creation of new directories on the OS in a path containing .Trash, indicating it was moved to trash.

Jamf Protectinformational

Application Firewall Configuration Changes

This detection functions by monitoring for usage of the socketfilterfw binary used with specific binary verbs that reduce or entirely disable the security provided by the Application Firewall.

Jamf Protectlow

Bluetooth File Exchange Inbound

This detection functions by monitoring for file system activity in a known location by the OBEXAgent service and will provide the file name, save destination path and user involved.

Jamf Protectinformational

Brew Activity

This detection functions by monitoring and report on any activity involving the use of brew with additional arguments, although this one is looking for brew being installed on the default location.

Jamf Protectinformational

Builtin Apache Disabled

This detection functions by monitoring for a launchctl command executed by macOS when a user disabled httpd via /usr/sbin/apachectl

Jamf Protectinformational

Builtin Apache Enabled

This detection functions by monitoring for a launchctl command executed by macOS when a user enables httpd via /usr/sbin/apachectl

Jamf Protectinformational

Caffeinate on interactive commandline

Caffeinate activity has been detected on a interactive command line.

Jamf Protectinformational

Crash Report Creation

This detection functions by monitoring for the creation of the Crash Report files.

Jamf Protectinformational

DNS Service Discovery

This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.dns-sd' and a process argument matches ".*-B\\s\\_\\w.*?\\.\\_tcp".

Jamf Protectinformational

Electron App Code Injection

This detection monitors attempts at code injection into Electron applications on macOS, particularly searching for the usage of the --inspect= argument that could lead into take over of macOS applications TCC permissions.

T1055
Jamf Protectmedium

File Download Curl Insecure

This detection functions by monitoring and report on attempts using curl to download a file using the -k argument, bypassing ssl validations.

Jamf Protectinformational

File Sharing Disabled

This detection functions by monitoring for a launchctl command executed by macOS when a user toggles the File Sharing feature off inside System Preferences > Sharing.

Jamf Protectinformational

File Sharing Enabled

This detection functions by monitoring for a launchctl command executed by macOS when a user toggles the File Sharing feature on inside System Preferences > Sharing.

Jamf Protectinformational

Filevault Authenticated Restart

This detection functions by monitoring for processes created with a binary carrying the com.apple.fdesetup identifier and have a process argument containing the 'authrestart' argument to perform an authenticated restart.

Jamf Protectinformational
Page 1 of 4Next