LoFP / legitimate execution of custom scripts or commands by jamf administrators. apply additional filters accordingly

Techniques

Sample rules

JAMF MDM Potential Suspicious Child Process

• source: sigma
• technicques:

Description

Detects potential suspicious child processes of “jamf”. Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /bash
  - /sh
  ParentImage|endswith: /jamf