Attempt to Enable the Root Account

Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/01/04"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries
13for persistence, as the root account is disabled by default.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Attempt to Enable the Root Account"
20references = ["https://ss64.com/osx/dsenableroot.html"]
21risk_score = 47
22rule_id = "cc2fd2d0-ba3a-4939-b87f-2901764ed036"
23severity = "medium"
24tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29event.category:process and host.os.type:macos and event.type:(start or process_started) and
30 process.name:dsenableroot and not process.args:"-d"
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1078"
38name = "Valid Accounts"
39reference = "https://attack.mitre.org/techniques/T1078/"
40[[rule.threat.technique.subtechnique]]
41id = "T1078.003"
42name = "Local Accounts"
43reference = "https://attack.mitre.org/techniques/T1078/003/"
44
45
46
47[rule.threat.tactic]
48id = "TA0003"
49name = "Persistence"
50reference = "https://attack.mitre.org/tactics/TA0003/"

to-top