JAMF MDM Execution

Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.

Sigma rule (View on GitHub)

 1title: JAMF MDM Execution
 2id: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49
 3status: test
 4description: |
 5        Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
 6references:
 7    - https://github.com/MythicAgents/typhon/
 8    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
 9    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
10author: Jay Pandit
11date: 2023-08-22
12tags:
13    - attack.execution
14logsource:
15    category: process_creation
16    product: macos
17detection:
18    selection:
19        Image|endswith: '/jamf'
20        CommandLine|contains:
21            # Note: add or remove commands according to your policy
22            - 'createAccount'
23            - 'manage'
24            - 'removeFramework'
25            - 'removeMdmProfile'
26            - 'resetPassword'
27            - 'setComputerName'
28    condition: selection
29falsepositives:
30    - Legitimate use of the JAMF CLI tool by IT support and administrators
31level: low

References

Related rules

to-top