Potential Hidden Local User Account Creation
Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/01/05"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an
11attempt to evade user attention while maintaining persistence using a separate local account.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Potential Hidden Local User Account Creation"
18references = ["https://support.apple.com/en-us/HT203998"]
19risk_score = 47
20rule_id = "41b638a1-8ab6-4f8e-86d9-466317ef2db5"
21setup = """## Setup
22
23This rule requires data coming in from Elastic Defend.
24
25### Elastic Defend Integration Setup
26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
27
28#### Prerequisite Requirements:
29- Fleet is required for Elastic Defend.
30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
31
32#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
33- Go to the Kibana home page and click "Add integrations".
34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
35- Click "Add Elastic Defend".
36- Configure the integration name and optionally add a description.
37- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
42- Click "Save and Continue".
43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
45"""
46severity = "medium"
47tags = [
48 "Domain: Endpoint",
49 "OS: macOS",
50 "Use Case: Threat Detection",
51 "Tactic: Persistence",
52 "Data Source: Elastic Defend",
53 "Resources: Investigation Guide",
54]
55timestamp_override = "event.ingested"
56type = "query"
57
58query = '''
59event.category:process and host.os.type:macos and event.type:(start or process_started) and
60 process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))
61'''
62note = """## Triage and analysis
63
64> **Disclaimer**:
65> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
66
67### Investigating Potential Hidden Local User Account Creation
68
69In macOS environments, the `dscl` command-line utility manages directory services, including user accounts. Adversaries may exploit this to create hidden local accounts, evading detection while maintaining persistence. The detection rule monitors for `dscl` processes attempting to set accounts as hidden, flagging suspicious activity indicative of potential misuse.
70
71### Possible investigation steps
72
73- Review the process details to confirm the presence of the `dscl` command with arguments related to account creation and hiding, specifically checking for `IsHidden`, `create`, and values like `true`, `1`, or `yes`.
74- Identify the user account under which the `dscl` command was executed to determine if it was initiated by an authorized user or a potential adversary.
75- Check the system logs for any additional suspicious activity around the time the `dscl` command was executed, such as other unauthorized account modifications or unusual login attempts.
76- Investigate the newly created account details, if available, to assess its purpose and legitimacy, including checking for any associated files or processes that might indicate malicious intent.
77- Correlate the event with other security alerts or anomalies on the host to determine if this activity is part of a broader attack pattern or isolated incident.
78
79### False positive analysis
80
81- System administrators may use the dscl command to create hidden accounts for legitimate purposes such as maintenance or automated tasks. To manage this, create exceptions for known administrator accounts or scripts that regularly perform these actions.
82- Some third-party applications or management tools might use hidden accounts for functionality or security purposes. Identify these applications and whitelist their processes to prevent unnecessary alerts.
83- During system setup or configuration, hidden accounts might be created as part of the initial setup process. Exclude these initial setup activities by correlating them with known installation or configuration events.
84- Regular audits of user accounts and their creation processes can help distinguish between legitimate and suspicious account creation activities, allowing for more informed exception handling.
85- If a specific user or group frequently triggers this rule due to their role, consider creating a role-based exception to reduce noise while maintaining security oversight.
86
87### Response and remediation
88
89- Immediately isolate the affected macOS system from the network to prevent potential lateral movement or data exfiltration by the adversary.
90- Use administrative privileges to review and remove any unauthorized hidden user accounts created using the `dscl` command. Ensure that legitimate accounts are not affected.
91- Change passwords for all local accounts on the affected system to prevent unauthorized access using potentially compromised credentials.
92- Conduct a thorough review of system logs and security alerts to identify any additional suspicious activities or indicators of compromise related to the hidden account creation.
93- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.
94- Implement enhanced monitoring for `dscl` command usage across all macOS systems in the environment to detect and respond to similar threats promptly.
95- Update and reinforce endpoint security measures, such as ensuring all systems have the latest security patches and antivirus definitions, to prevent exploitation of known vulnerabilities."""
96
97
98[[rule.threat]]
99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1078"
102name = "Valid Accounts"
103reference = "https://attack.mitre.org/techniques/T1078/"
104[[rule.threat.technique.subtechnique]]
105id = "T1078.003"
106name = "Local Accounts"
107reference = "https://attack.mitre.org/techniques/T1078/003/"
108
109
110
111[rule.threat.tactic]
112id = "TA0003"
113name = "Persistence"
114reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Hidden Local User Account Creation
In macOS environments, the dscl
command-line utility manages directory services, including user accounts. Adversaries may exploit this to create hidden local accounts, evading detection while maintaining persistence. The detection rule monitors for dscl
processes attempting to set accounts as hidden, flagging suspicious activity indicative of potential misuse.
Possible investigation steps
- Review the process details to confirm the presence of the
dscl
command with arguments related to account creation and hiding, specifically checking forIsHidden
,create
, and values liketrue
,1
, oryes
. - Identify the user account under which the
dscl
command was executed to determine if it was initiated by an authorized user or a potential adversary. - Check the system logs for any additional suspicious activity around the time the
dscl
command was executed, such as other unauthorized account modifications or unusual login attempts. - Investigate the newly created account details, if available, to assess its purpose and legitimacy, including checking for any associated files or processes that might indicate malicious intent.
- Correlate the event with other security alerts or anomalies on the host to determine if this activity is part of a broader attack pattern or isolated incident.
False positive analysis
- System administrators may use the dscl command to create hidden accounts for legitimate purposes such as maintenance or automated tasks. To manage this, create exceptions for known administrator accounts or scripts that regularly perform these actions.
- Some third-party applications or management tools might use hidden accounts for functionality or security purposes. Identify these applications and whitelist their processes to prevent unnecessary alerts.
- During system setup or configuration, hidden accounts might be created as part of the initial setup process. Exclude these initial setup activities by correlating them with known installation or configuration events.
- Regular audits of user accounts and their creation processes can help distinguish between legitimate and suspicious account creation activities, allowing for more informed exception handling.
- If a specific user or group frequently triggers this rule due to their role, consider creating a role-based exception to reduce noise while maintaining security oversight.
Response and remediation
- Immediately isolate the affected macOS system from the network to prevent potential lateral movement or data exfiltration by the adversary.
- Use administrative privileges to review and remove any unauthorized hidden user accounts created using the
dscl
command. Ensure that legitimate accounts are not affected. - Change passwords for all local accounts on the affected system to prevent unauthorized access using potentially compromised credentials.
- Conduct a thorough review of system logs and security alerts to identify any additional suspicious activities or indicators of compromise related to the hidden account creation.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.
- Implement enhanced monitoring for
dscl
command usage across all macOS systems in the environment to detect and respond to similar threats promptly. - Update and reinforce endpoint security measures, such as ensuring all systems have the latest security patches and antivirus definitions, to prevent exploitation of known vulnerabilities.
References
Related rules
- Attempt to Enable the Root Account
- Authorization Plugin Modification
- Bash Shell Profile Modification
- Creation of Hidden Launch Agent or Daemon
- Creation of Hidden Login Item via Apple Script