{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jamf/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Jamf Protect"],"_cs_severities":["low"],"_cs_tags":["privilege-escalation","macos","jamf"],"_cs_type":"advisory","_cs_vendors":["Elastic","Jamf"],"content_html":"\u003cp\u003eThis detection rule identifies instances of users being added to the \u0026lsquo;admin\u0026rsquo; group on macOS systems. This is a critical security concern, as it can be indicative of privilege escalation attempts by malicious actors or unauthorized users. The rule is designed to function with data ingested from Jamf Protect into the Elastic Security platform, providing a means to detect this specific type of activity within macOS environments. The rule was last updated in May 2026 and leverages EQL for its detection logic. By monitoring for these events, security teams can quickly identify and respond to potential privilege escalation attempts, mitigating the risk of unauthorized access and control over macOS systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user with sufficient privileges executes a command-line tool like \u003ccode\u003edscl\u003c/code\u003e to modify group membership.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edscl\u003c/code\u003e command targets the local directory service to modify the \u0026ldquo;admin\u0026rdquo; group.\u003c/li\u003e\n\u003cli\u003eThe command adds a specific username to the list of members of the \u0026ldquo;admin\u0026rdquo; group.\u003c/li\u003e\n\u003cli\u003eThe operating system processes the directory service modification request and updates group membership.\u003c/li\u003e\n\u003cli\u003eThe system logs the event as a change to group membership, specifically \u0026ldquo;od_group_add\u0026rdquo; for the \u0026ldquo;admin\u0026rdquo; group.\u003c/li\u003e\n\u003cli\u003eJamf Protect detects this event and forwards the telemetry to the Elastic platform.\u003c/li\u003e\n\u003cli\u003eThe Elastic detection rule triggers based on the received event data.\u003c/li\u003e\n\u003cli\u003eAn alert is generated, prompting security analysts to investigate potential privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful privilege escalation can grant an attacker complete control over the affected macOS system. This can lead to unauthorized data access, modification, or deletion, as well as the installation of malware or other malicious software. While the risk score is relatively low (21), the potential impact of a successful attack necessitates monitoring for this behavior. Post-privilege escalation, attackers can establish persistence, install software, create new user accounts, or perform lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure Jamf Protect to forward macOS endpoint events to the Elastic platform to enable the detections in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003emacOS User Added to Admin Group via dscl\u003c/code\u003e to detect potential privilege escalation attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by reviewing the actions taken by the affected user immediately after being added to the admin group, looking for persistence mechanisms or unauthorized software installs.\u003c/li\u003e\n\u003cli\u003eUse the provided investigation queries in the rule\u0026rsquo;s metadata to find related events from the host or parent process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T20:00:00Z","date_published":"2024-10-26T20:00:00Z","id":"/briefs/2024-10-macos-admin-group-privilege-escalation/","summary":"The rule identifies when a user is added to the admin group on macOS systems, potentially indicating privilege escalation activity, and requires Jamf Protect for data ingestion into Elastic.","title":"macOS User Added to Admin Group Detection","url":"https://feed.craftedsignal.io/briefs/2024-10-macos-admin-group-privilege-escalation/"}],"language":"en","title":"CraftedSignal Threat Feed — Jamf","version":"https://jsonfeed.org/version/1.1"}