JAMF MDM Potential Suspicious Child Process

 1title: JAMF MDM Potential Suspicious Child Process
 2id: 2316929c-01aa-438c-970f-099145ab1ee6
 3status: experimental
 4description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
 5references:
 6    - https://github.com/MythicAgents/typhon/
 7    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
 8    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/08/22
11tags:
12    - attack.execution
13logsource:
14    category: process_creation
15    product: macos
16detection:
17    selection:
18        ParentImage|endswith: '/jamf'
19        Image|endswith:
20            # Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf
21            - '/bash'
22            - '/sh'
23    condition: selection
24falsepositives:
25    - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
26level: medium

References

• GitHub - MythicAgents/typhon: Payload designed for targeting Jamf enrolled devices.

  

  Payload designed for targeting Jamf enrolled devices. - MythicAgents/typhon

  
  Read More

• %PDF-1.3 %Äåòåë§ó ÐÄÆ 4 0 obj > stream x
  í}ëšÇqåÿzŠ&(R‰ÓÓ÷Ëju#Ø",Y6aÉ^�¼ƒ.4ÉŸ^vŸeO^NœÈª¬êêž!9À’Ò‡éήŒŒŒ[FFDfý×äŸ&ÿ5¹¸÷f>yòf2›¼y‚¯³éf³Ÿ¯Ö34Ì&çå×'/&Ÿ>šÌé7ü]ÍWÓýj±™œÏÑgºm½˜\cã™?N}>¹ÿó 3Zn&...

  
  Read More

• Components Installed on Managed Computers - Jamf Pro Administrator's Guide | Jamf

  Jamf Components Installed on Computers The following components are installed on all computers. Jamf Apps and Binaries /usr/local/jamf/bin/jamf—The binary used to execute most tasks for Jamf Pro. /...

  
  Read More

Related rules

• JAMF MDM Execution
• Uncommon Child Process Of BgInfo.EXE
• Assembly DLL Creation Via AspNetCompiler
• Blue Mockingbird - Registry
• Enable Microsoft Dynamic Data Exchange