Home/CVE-2021-40809/Sigma rules
Sigma

Sigma rules for CVE-2021-40809

2 rules · scoped to cve · back to CVE-2021-40809
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

2 of 2
direct medium
JAMF MDM Potential Suspicious Child Process
Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
status test author Nasreddine Bencherchali (Nextron Systems) id 2316929c-01aa-438c-970f-099145ab1ee6 license Sigma · DRL-1.1
view Sigma YAML 
title: JAMF MDM Potential Suspicious Child Process
id: 2316929c-01aa-438c-970f-099145ab1ee6
status: test
description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
references:
    - https://github.com/MythicAgents/typhon/
    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-22
tags:
    - attack.execution
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        ParentImage|endswith: '/jamf'
        Image|endswith:
            # Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf
            - '/bash'
            - '/sh'
    condition: selection
falsepositives:
    - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
level: medium
direct low
JAMF MDM Execution
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
status test author Jay Pandit id be2e3a5c-9cc7-4d02-842a-68e9cb26ec49 license Sigma · DRL-1.1
view Sigma YAML 
title: JAMF MDM Execution
id: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49
status: test
description: |
    Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
references:
    - https://github.com/MythicAgents/typhon/
    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Jay Pandit
date: 2023-08-22
tags:
    - attack.execution
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/jamf'
        CommandLine|contains:
            # Note: add or remove commands according to your policy
            - 'createAccount'
            - 'manage'
            - 'removeFramework'
            - 'removeMdmProfile'
            - 'resetPassword'
            - 'setComputerName'
    condition: selection
falsepositives:
    - Legitimate use of the JAMF CLI tool by IT support and administrators
level: low
Showing 1-2 of 2
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh