Potential Admin Group Account Addition
Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/01/05"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege
13escalation activity.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Potential Admin Group Account Addition"
20references = ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"]
21risk_score = 47
22rule_id = "565c2b44-7a21-4818-955f-8d4737967d2e"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29event.category:process and host.os.type:macos and event.type:(start or process_started) and
30 process.name:(dscl or dseditgroup) and process.args:(("/Groups/admin" or admin) and ("-a" or "-append"))
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1078"
38name = "Valid Accounts"
39reference = "https://attack.mitre.org/techniques/T1078/"
40[[rule.threat.technique.subtechnique]]
41id = "T1078.003"
42name = "Local Accounts"
43reference = "https://attack.mitre.org/techniques/T1078/003/"
44
45
46
47[rule.threat.tactic]
48id = "TA0004"
49name = "Privilege Escalation"
50reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Apple Scripting Execution with Administrator Privileges
- Execution with Explicit Credentials via Scripting
- Potential Privacy Control Bypass via Localhost Secure Copy
- Potential Privilege Escalation via Sudoers File Modification
- Privilege Escalation via Root Crontab File Modification