Jamf Protect Alert - JamfProBinaryModified - users: _appstore, root

MattTHL
New Contributor II

Hello Jamf Protect Community,

 

I received an alert with the Description: JamfProBinaryModified.... Jamf Pro Binary Modified or Removed. Below I will copy information from the first two pages of the of the alert. Has anyone encountered this before and if so what resolution did you come to with it? It seems to be related to the appstore but I'm not sure why exactly this is happening and why Jamf Protect isn't simply marking this as Informational if that's what it is.

---- 

 

Summary Page:

JamfProBinaryModified

The Jamf binary is responsible for most of the actions taken by Jamf Pro. It is located at /usr/local/jamf/bin/jamf (alias at /usr/local/bin/jamf). If this file (or its alias) is moved or damaged, Jamf Pro will be unable to perform remote management actions. While an attacker might theoretically disable Jamf Pro to subvert its security controls, this detection is aimed at the end user disabling Jamf Pro without authorization. This detection alerts when the Jamf Pro binary itself has been removed or tampered with.

Remediation:
Pay particular attention to the initiating process. In the event that the command “jamf removeFramework” was executed under a terminal, the Jamf Pro binary was likely removed intentionally by the end user. Determine whether this action was authorized by your organization.

Host IP

 

Tags

Impact
MITREattack
ServiceStop
T1489

 

File System Event Details

Event Type

File Renamed

Event Timestamp

11/01/2023 11:55 AM GMT

Path

/usr/local/jamf/bin/jamf

Process

mv (/bin/mv)

User

root

Group

admin
----
Processes page: 
mv (1431)

Process Arguments

/bin/mv /Library/Application Support/JAMF/tmp/jamf /usr/local/jamf/bin/jamf

Signing Info

Signer Type: AppleApp ID: com.apple.mvAuthorities: Software Signing → Apple Code Signing Certification Authority → Apple Root CA

Path

/bin/mv

Process UUID

b2f0074a-6ff9-481d-afcf-b890bd90a468

Pid

1431

Name

mv

User

0

Group

0

Process Start Time

11/01/2023 11:55 AM GMT

Parent Process

1404
bash (1404)

Process Arguments

/bin/bash /Library/InstallerSandboxes/.PKInstallSandboxManager/4836C507-4621-42E5-A386-F853B146C59A.activeSandbox/Scripts/com.jamfsoftware.osxenrollment.YQTS4V/postinstall /var/folders/zz/zyxvpxvq6csfxvn_n0000044000011/C/com.apple.appstore/58F35568-1513-4686-A25D-645CCB0AF0D8/quickadd.pkg

Signing Info

Signer Type: AppleApp ID: com.apple.bashAuthorities: Software Signing → Apple Code Signing Certification Authority → Apple Root CA

Path

/bin/bash

Process UUID

e30a52be-d5dd-406d-839a-1a1eb6150f20

Pid

1404

Name

bash

User

0

Group

0

Process Start Time

11/01/2023 11:54 AM GMT

Parent Process

1241
appstored (1225)

Process Arguments

/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Support/appstored

Signing Info

Signer Type: AppleApp ID: com.apple.appstoredAuthorities: Software Signing → Apple Code Signing Certification Authority → Apple Root CA

Path

/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Support/appstored

Process UUID

4cdcdda7-b534-4646-8a97-48bcdac997cb

Pid

1225

Name

appstored

User

33

Group

33

Process Start Time

11/01/2023 11:54 AM GMT
 
1 ACCEPTED SOLUTION

MattTHL
New Contributor II
  • I shared the JSON with staff at Jamf Engineering to get us more info on the why behind this alert. 
  • This alert was triggered by a system enrolling which is not an action this analytic should have triggered an alert for.  
  • This detection is aimed more at the end user behavior of disabling Jamf Pro without authorization and alerts when the Jamf Pro binary itself has been removed or tampered with. 
  • The technical response from Engineering: If you look at the related processes you’ll see that mv is moving /Library/Application Support/JAMF/tmp/jamf to /usr/local/jamf/bin/jamf and the parent process is bash which is running the postinstall script from the quickadd pkg.

View solution in original post

1 REPLY 1

MattTHL
New Contributor II
  • I shared the JSON with staff at Jamf Engineering to get us more info on the why behind this alert. 
  • This alert was triggered by a system enrolling which is not an action this analytic should have triggered an alert for.  
  • This detection is aimed more at the end user behavior of disabling Jamf Pro without authorization and alerts when the Jamf Pro binary itself has been removed or tampered with. 
  • The technical response from Engineering: If you look at the related processes you’ll see that mv is moving /Library/Application Support/JAMF/tmp/jamf to /usr/local/jamf/bin/jamf and the parent process is bash which is running the postinstall script from the quickadd pkg.