EXPLORE
Sign In
← Back to Explore
sigmalowHunting

JAMF MDM Execution

Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.

Detection Query

selection:
  Image|endswith: /jamf
  CommandLine|contains:
    - createAccount
    - manage
    - removeFramework
    - removeMdmProfile
    - resetPassword
    - setComputerName
condition: selection

Author

Jay Pandit

Created

2023-08-22

Data Sources

macosProcess Creation Events

Platforms

macos

References

Tags

attack.execution
Raw Content
title: JAMF MDM Execution
id: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49
status: test
description: |
    Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
references:
    - https://github.com/MythicAgents/typhon/
    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Jay Pandit
date: 2023-08-22
tags:
    - attack.execution
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/jamf'
        CommandLine|contains:
            # Note: add or remove commands according to your policy
            - 'createAccount'
            - 'manage'
            - 'removeFramework'
            - 'removeMdmProfile'
            - 'resetPassword'
            - 'setComputerName'
    condition: selection
falsepositives:
    - Legitimate use of the JAMF CLI tool by IT support and administrators
level: low