JAMF MDM Potential Suspicious Child Process

Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.

Sigma rule (View on GitHub)

 1title: JAMF MDM Potential Suspicious Child Process
 2id: 2316929c-01aa-438c-970f-099145ab1ee6
 3status: test
 4description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
 5references:
 6    - https://github.com/MythicAgents/typhon/
 7    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
 8    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/08/22
11tags:
12    - attack.execution
13logsource:
14    category: process_creation
15    product: macos
16detection:
17    selection:
18        ParentImage|endswith: '/jamf'
19        Image|endswith:
20            # Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf
21            - '/bash'
22            - '/sh'
23    condition: selection
24falsepositives:
25    - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
26level: medium

References

Related rules

to-top