- Jamf Nation Community
- Products
- Jamf Protect
- Re: Jamf Protect Alert - JamfProBinaryModified - u...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2023 12:13 PM
Hello Jamf Protect Community,
I received an alert with the Description: JamfProBinaryModified.... Jamf Pro Binary Modified or Removed. Below I will copy information from the first two pages of the of the alert. Has anyone encountered this before and if so what resolution did you come to with it? It seems to be related to the appstore but I'm not sure why exactly this is happening and why Jamf Protect isn't simply marking this as Informational if that's what it is.
----
Summary Page:
JamfProBinaryModified
The Jamf binary is responsible for most of the actions taken by Jamf Pro. It is located at /usr/local/jamf/bin/jamf (alias at /usr/local/bin/jamf). If this file (or its alias) is moved or damaged, Jamf Pro will be unable to perform remote management actions. While an attacker might theoretically disable Jamf Pro to subvert its security controls, this detection is aimed at the end user disabling Jamf Pro without authorization. This detection alerts when the Jamf Pro binary itself has been removed or tampered with.
Remediation:| Pay particular attention to the initiating process. In the event that the command “jamf removeFramework” was executed under a terminal, the Jamf Pro binary was likely removed intentionally by the end user. Determine whether this action was authorized by your organization. |
Host IP
Tags
Impact
MITREattack
ServiceStop
T1489
File System Event Details
Event Type
File Renamed
Event Timestamp
11/01/2023 11:55 AM GMT
Path
/usr/local/jamf/bin/jamf
Process
mv (/bin/mv)
User
root
Group
admin
----
Processes page:
mv (1431)
Process Arguments
/bin/mv /Library/Application Support/JAMF/tmp/jamf /usr/local/jamf/bin/jamf
Signing Info
Signer Type: AppleApp ID: com.apple.mvAuthorities: Software Signing → Apple Code Signing Certification Authority → Apple Root CA
Path
/bin/mv
Process UUID
b2f0074a-6ff9-481d-afcf-b890bd90a468
Pid
1431
Name
mv
User
0
Group
0
Process Start Time
11/01/2023 11:55 AM GMT
Parent Process
1404
bash (1404)
Process Arguments
/bin/bash /Library/InstallerSandboxes/.PKInstallSandboxManager/4836C507-4621-42E5-A386-F853B146C59A.activeSandbox/Scripts/com.jamfsoftware.osxenrollment.YQTS4V/postinstall /var/folders/zz/zyxvpxvq6csfxvn_n0000044000011/C/com.apple.appstore/58F35568-1513-4686-A25D-645CCB0AF0D8/quickadd.pkg
Signing Info
Signer Type: AppleApp ID: com.apple.bashAuthorities: Software Signing → Apple Code Signing Certification Authority → Apple Root CA
Path
/bin/bash
Process UUID
e30a52be-d5dd-406d-839a-1a1eb6150f20
Pid
1404
Name
bash
User
0
Group
0
Process Start Time
11/01/2023 11:54 AM GMT
Parent Process
1241
appstored (1225)
Process Arguments
/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Support/appstored
Signing Info
Signer Type: AppleApp ID: com.apple.appstoredAuthorities: Software Signing → Apple Code Signing Certification Authority → Apple Root CA
Path
/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Support/appstored
Process UUID
4cdcdda7-b534-4646-8a97-48bcdac997cb
Pid
1225
Name
appstored
User
33
Group
33
Process Start Time
11/01/2023 11:54 AM GMT
Solved! Go to Solution.
Labels:
- Labels:
-
appstore
-
Binary
-
Jamf Protect
-
root
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-08-2023 09:53 AM
- I shared the JSON with staff at Jamf Engineering to get us more info on the why behind this alert.
- This alert was triggered by a system enrolling which is not an action this analytic should have triggered an alert for.
- This detection is aimed more at the end user behavior of disabling Jamf Pro without authorization and alerts when the Jamf Pro binary itself has been removed or tampered with.
- The technical response from Engineering: If you look at the related processes you’ll see that mv is moving /Library/Application Support/JAMF/tmp/jamf to /usr/local/jamf/bin/jamf and the parent process is bash which is running the postinstall script from the quickadd pkg.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-08-2023 09:53 AM
- I shared the JSON with staff at Jamf Engineering to get us more info on the why behind this alert.
- This alert was triggered by a system enrolling which is not an action this analytic should have triggered an alert for.
- This detection is aimed more at the end user behavior of disabling Jamf Pro without authorization and alerts when the Jamf Pro binary itself has been removed or tampered with.
- The technical response from Engineering: If you look at the related processes you’ll see that mv is moving /Library/Application Support/JAMF/tmp/jamf to /usr/local/jamf/bin/jamf and the parent process is bash which is running the postinstall script from the quickadd pkg.
