LoFP LoFP / macos

macos rule

TitleTags
application installers might contain scripts as part of the installation process.
applications for password management.
authorized softwareupdate settings changes
certain applications may install root certificates for the purpose of inspecting ssl traffic.
custom organization-specific macos packages that use .pkg files to run curl could trigger this rule. if known behavior is causing false positives, it can be excluded from the rule.
legitimate activities
legitimate administration activities
legitimate administration activities is expected to trigger false positives. investigate the command line being passed to determine if the service or launch agent are suspicious.
legitimate administration tools and activities
legitimate administrative activities
legitimate administrator activity
legitimate browser install, update and recovery scripts
legitimate execution of custom scripts or commands by jamf administrators. apply additional filters accordingly
legitimate script work
legitimate software uses the scripts (preinstall, postinstall)
legitimate software, cleaning hist file
legitimate usage of chflags by administrators and users.
legitimate usage of hdiutil by administrators and users.
legitimate usage of nscurl by administrators and users.
legitimate usage of teamviewer
legitimate use of the jamf cli tool by it support and administrators
legitimate user activity taking screenshots
legitimate webproxy settings modification
mistyped commands or legitimate binaries named to match the pattern
trusted applications for managing calendars and reminders.
trusted applications persisting via launchagent
trusted applications persisting via launchdaemons
trusted finder sync plugins
trusted system or adobe acrobat related processes.
unlikely