Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

JAMF MDM Execution

Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Jay PanditCreated Tue Aug 22be2e3a5c-9cc7-4d02-842a-68e9cb26ec49macos
Log Source
macOSProcess Creation
ProductmacOS← raw: macos
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '/jamf'
        CommandLine|contains:
            # Note: add or remove commands according to your policy
            - 'createAccount'
            - 'manage'
            - 'removeFramework'
            - 'removeMdmProfile'
            - 'resetPassword'
            - 'setComputerName'
    condition: selection
False Positives

Legitimate use of the JAMF CLI tool by IT support and administrators

References
1
Resolving title…
github.com
2
Resolving title…
zoocoup.org
3
Resolving title…
docs.jamf.com
MITRE ATT&CK
Rule Metadata
Rule ID
be2e3a5c-9cc7-4d02-842a-68e9cb26ec49
Status
test
Level
low
Type
Detection
Created
Tue Aug 22
Author
Jay Pandit
Path
rules/macos/process_creation/proc_creation_macos_jamf_usage.yml
Raw Tags
attack.execution
View on GitHub