JAMF MDM Potential Suspicious Child Process
Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
Sigma rule (View on GitHub)
1title: JAMF MDM Potential Suspicious Child Process
2id: 2316929c-01aa-438c-970f-099145ab1ee6
3status: experimental
4description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
5references:
6 - https://github.com/MythicAgents/typhon/
7 - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
8 - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/08/22
11tags:
12 - attack.execution
13logsource:
14 category: process_creation
15 product: macos
16detection:
17 selection:
18 ParentImage|endswith: '/jamf'
19 Image|endswith:
20 # Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf
21 - '/bash'
22 - '/sh'
23 condition: selection
24falsepositives:
25 - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
26level: medium
References
Related rules
- JAMF MDM Execution
- Uncommon Child Process Of BgInfo.EXE
- Assembly DLL Creation Via AspNetCompiler
- Blue Mockingbird - Registry
- Enable Microsoft Dynamic Data Exchange