Techniques
Sample rules
JAMF MDM Execution
- source: sigma
- technicques:
Description
Detects execution of the “jamf” binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
Detection logic
condition: selection
selection:
CommandLine|contains:
- createAccount
- manage
- removeFramework
- removeMdmProfile
- resetPassword
- setComputerName
Image|endswith: /jamf