Dumping Account Hashes via Built-In Commands

Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/25"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump
13credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for
14lateral movement.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Dumping Account Hashes via Built-In Commands"
21references = [
22    "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored",
23    "https://www.unix.com/man-page/osx/8/mkpassdb/",
24]
25risk_score = 73
26rule_id = "02ea4563-ec10-4974-b7de-12e65aa4f9b3"
27severity = "high"
28tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
29timestamp_override = "event.ingested"
30type = "query"
31
32query = '''
33event.category:process and host.os.type:macos and event.type:start and
34 process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or "-dump")
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1003"
42name = "OS Credential Dumping"
43reference = "https://attack.mitre.org/techniques/T1003/"
44
45
46[rule.threat.tactic]
47id = "TA0006"
48name = "Credential Access"
49reference = "https://attack.mitre.org/tactics/TA0006/"

to-top