Attempt to Enable the Root Account

  1[metadata]
  2creation_date = "2020/01/04"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries
 11for persistence, as the root account is disabled by default.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Attempt to Enable the Root Account"
 18references = ["https://ss64.com/osx/dsenableroot.html"]
 19risk_score = 47
 20rule_id = "cc2fd2d0-ba3a-4939-b87f-2901764ed036"
 21setup = """## Setup
 22
 23This rule requires data coming in from Elastic Defend.
 24
 25### Elastic Defend Integration Setup
 26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 27
 28#### Prerequisite Requirements:
 29- Fleet is required for Elastic Defend.
 30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 31
 32#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 33- Go to the Kibana home page and click "Add integrations".
 34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 35- Click "Add Elastic Defend".
 36- Configure the integration name and optionally add a description.
 37- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 42- Click "Save and Continue".
 43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 45"""
 46severity = "medium"
 47tags = [
 48    "Domain: Endpoint",
 49    "OS: macOS",
 50    "Use Case: Threat Detection",
 51    "Tactic: Persistence",
 52    "Data Source: Elastic Defend",
 53    "Resources: Investigation Guide",
 54]
 55timestamp_override = "event.ingested"
 56type = "eql"
 57
 58query = '''
 59process where host.os.type == "macos" and event.type in ("start", "process_started") and
 60 process.name == "dsenableroot" and 
 61 not process.args == "-d"
 62'''
 63note = """## Triage and analysis
 64
 65> **Disclaimer**:
 66> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 67
 68### Investigating Attempt to Enable the Root Account
 69
 70In macOS environments, the root account is typically disabled to enhance security. However, adversaries may attempt to enable it using the `dsenableroot` command to gain persistent, elevated access. The detection rule identifies such attempts by monitoring process events for the execution of `dsenableroot` without the disable flag, indicating potential misuse for persistence.
 71
 72### Possible investigation steps
 73
 74- Review the process event logs to confirm the execution of the dsenableroot command without the disable flag, as indicated by the absence of process.args:"-d".
 75- Identify the user account associated with the process event to determine if the action was initiated by a legitimate user or a potential adversary.
 76- Check for any recent changes in user account permissions or configurations that might indicate unauthorized access or privilege escalation.
 77- Investigate any other suspicious activities or process executions around the same time as the dsenableroot command to identify potential lateral movement or further persistence mechanisms.
 78- Correlate the event with other security alerts or logs from the same host to assess if this is part of a broader attack campaign.
 79
 80### False positive analysis
 81
 82- System administrators may legitimately enable the root account for maintenance or troubleshooting. To handle this, create exceptions for known administrator accounts or specific maintenance windows.
 83- Automated scripts or management tools might use the dsenableroot command as part of their operations. Identify these tools and exclude their process signatures from triggering alerts.
 84- Educational or testing environments may require enabling the root account for instructional purposes. Implement exclusions for these environments by tagging relevant systems or user accounts.
 85- Ensure that any exclusion rules are regularly reviewed and updated to reflect changes in administrative practices or tool usage to maintain security integrity.
 86
 87### Response and remediation
 88
 89- Immediately isolate the affected macOS system from the network to prevent any potential lateral movement by the adversary.
 90- Terminate any unauthorized processes associated with the `dsenableroot` command to halt further misuse of elevated privileges.
 91- Review system logs and user activity to identify any unauthorized changes or access that occurred after the root account was enabled.
 92- Reset the root account password and disable the root account to prevent further unauthorized access.
 93- Conduct a thorough scan of the system for any additional signs of compromise or persistence mechanisms that may have been installed.
 94- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
 95- Implement additional monitoring and alerting for any future attempts to enable the root account, ensuring rapid detection and response."""
 96
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1078"
102name = "Valid Accounts"
103reference = "https://attack.mitre.org/techniques/T1078/"
104[[rule.threat.technique.subtechnique]]
105id = "T1078.003"
106name = "Local Accounts"
107reference = "https://attack.mitre.org/techniques/T1078/003/"
108
109
110
111[rule.threat.tactic]
112id = "TA0003"
113name = "Persistence"
114reference = "https://attack.mitre.org/tactics/TA0003/"