JAMF MDM Execution

Rule Info

Name
JAMF MDM Execution
Author
Jay Pandit
Description
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
Reference
https://github.com/MythicAgents/typhon/
Date
2023-08-22 00:00:00
Modified
None
Id
be2e3a5c-9cc7-4d02-842a-68e9cb26ec49
Tags
attack.execution
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=be2e3a5c-9cc7-4d02-842a-68e9cb26ec49

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
Merge PR #4891 from @nasbench - Promote older rules status from `experimental` to `test`
2024-07-01
47085e948
phantinuss
fix: wording
2023-08-22
785ea520d
phantinuss
fix: wording
2023-08-22
9cb0c4d1a
Nasreddine Bencherchali
feat: update detection & metadata
2023-08-22
4e75c3b2d
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022