Detectionmediumtest
JAMF MDM Potential Suspicious Child Process
Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Aug 222316929c-01aa-438c-970f-099145ab1ee6macos
Log Source
macOSProcess Creation
ProductmacOS← raw: macos
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
ParentImage|endswith: '/jamf'
Image|endswith:
# Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf
- '/bash'
- '/sh'
condition: selectionFalse Positives
Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
2316929c-01aa-438c-970f-099145ab1ee6
Status
test
Level
medium
Type
Detection
Created
Tue Aug 22
Path
rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml
Raw Tags
attack.execution