security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
blue-team-tools/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml
T
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00

32 lines
1.1 KiB
YAML
Raw Permalink Blame History

title: JAMF MDM Execution
id: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49
status: test
description: |
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
references:
- https://github.com/MythicAgents/typhon/
- https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
- https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Jay Pandit
date: 2023-08-22
tags:
- attack.execution
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/jamf'
CommandLine|contains:
# Note: add or remove commands according to your policy
- 'createAccount'
- 'manage'
- 'removeFramework'
- 'removeMdmProfile'
- 'resetPassword'
- 'setComputerName'
condition: selection
falsepositives:
- Legitimate use of the JAMF CLI tool by IT support and administrators
level: low
Reference in New Issue View Git Blame Copy Permalink