Jumpcloud admin granted system privileges

jumpcloud

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the jumpcloud integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.

Strategy

This rule monitors JumpCloud audit logs to detect when a user triggers the @evt.name of system_admin_grant.

Triage and response

  1. Reach out to the admin making the change ({{@usr.email}}) to confirm that the user (@usr.name) should have administrative privileges on the specified resource (@resource.name).
  2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (@resource.name).