Potential Admin Group Account Addition

  1[metadata]
  2creation_date = "2020/01/05"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege
 11escalation activity.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential Admin Group Account Addition"
 18references = ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"]
 19risk_score = 47
 20rule_id = "565c2b44-7a21-4818-955f-8d4737967d2e"
 21setup = """## Setup
 22
 23This rule requires data coming in from Elastic Defend.
 24
 25### Elastic Defend Integration Setup
 26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 27
 28#### Prerequisite Requirements:
 29- Fleet is required for Elastic Defend.
 30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 31
 32#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 33- Go to the Kibana home page and click "Add integrations".
 34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 35- Click "Add Elastic Defend".
 36- Configure the integration name and optionally add a description.
 37- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 42- Click "Save and Continue".
 43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 45"""
 46severity = "medium"
 47tags = [
 48    "Domain: Endpoint",
 49    "OS: macOS",
 50    "Use Case: Threat Detection",
 51    "Tactic: Privilege Escalation",
 52    "Data Source: Elastic Defend",
 53    "Resources: Investigation Guide",
 54]
 55timestamp_override = "event.ingested"
 56type = "eql"
 57
 58query = '''
 59process where host.os.type == "macos" and event.type in ("start", "process_started") and
 60 process.name in ("dscl", "dseditgroup") and process.args like~ ("/Groups/admin", "admin") and process.args like ("-a", "-append") and
 61 not process.Ext.effective_parent.executable like ("/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon",
 62                                                   "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService",
 63                                                   "/opt/jc/bin/jumpcloud-agent",
 64                                                   "/Library/Addigy/go-agent")
 65'''
 66note = """## Triage and analysis
 67
 68> **Disclaimer**:
 69> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 70
 71### Investigating Potential Admin Group Account Addition
 72
 73In macOS environments, tools like `dscl` and `dseditgroup` manage user group memberships, including admin groups. Adversaries may exploit these tools to escalate privileges by adding accounts to admin groups, gaining unauthorized access. The detection rule identifies such attempts by monitoring process activities related to these tools, excluding legitimate management services, to flag potential privilege escalation.
 74
 75### Possible investigation steps
 76
 77- Review the process details to confirm the use of `dscl` or `dseditgroup` with arguments indicating an attempt to add an account to the admin group, such as "/Groups/admin" and "-a" or "-append".
 78- Check the process's parent executable path to ensure it is not one of the legitimate management services excluded in the query, such as JamfDaemon, JamfManagementService, jumpcloud-agent, or Addigy go-agent.
 79- Investigate the user account associated with the process to determine if it has a history of legitimate administrative actions or if it appears suspicious.
 80- Examine recent login events and user activity on the host to identify any unusual patterns or unauthorized access attempts.
 81- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or potential indicators of compromise.
 82- Assess the risk and impact of the account addition by determining if the account has been successfully added to the admin group and if any unauthorized changes have been made.
 83
 84### False positive analysis
 85
 86- Legitimate management services like JAMF and JumpCloud may trigger false positives when they manage user group memberships. These services are already excluded in the rule, but ensure any additional management tools used in your environment are similarly excluded.
 87- Automated scripts or maintenance tasks that require temporary admin access might be flagged. Review these scripts and consider adding them to the exclusion list if they are verified as safe.
 88- System updates or software installations that modify group memberships could be misidentified. Monitor these activities and adjust the rule to exclude known update processes if they are consistently flagged.
 89- User-initiated actions that are part of normal IT operations, such as adding a new admin for legitimate purposes, may appear as false positives. Ensure that such actions are documented and communicated to avoid unnecessary alerts.
 90
 91### Response and remediation
 92
 93- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or privilege escalation.
 94- Review the process execution logs to confirm unauthorized use of `dscl` or `dseditgroup` for adding accounts to the admin group, ensuring the activity is not part of legitimate administrative tasks.
 95- Remove any unauthorized accounts from the admin group to restore proper access controls and prevent further misuse of elevated privileges.
 96- Conduct a thorough review of all admin group memberships on the affected system to ensure no other unauthorized accounts have been added.
 97- Reset passwords for any accounts that were added to the admin group without authorization to prevent further unauthorized access.
 98- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
 99- Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future privilege escalation attempts promptly."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1078"
106name = "Valid Accounts"
107reference = "https://attack.mitre.org/techniques/T1078/"
108[[rule.threat.technique.subtechnique]]
109id = "T1078.003"
110name = "Local Accounts"
111reference = "https://attack.mitre.org/techniques/T1078/003/"
112
113
114
115[rule.threat.tactic]
116id = "TA0004"
117name = "Privilege Escalation"
118reference = "https://attack.mitre.org/tactics/TA0004/"