Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
Sigma rule (View on GitHub)
1title: Hidden User Creation
2id: b22a5b36-2431-493a-8be1-0bae56c28ef3
3status: test
4description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md
7author: Daniil Yugoslavskiy, oscd.community
8date: 2020/10/10
9modified: 2021/11/27
10tags:
11 - attack.defense_evasion
12 - attack.t1564.002
13logsource:
14 category: process_creation
15 product: macos
16detection:
17 dscl_create:
18 Image|endswith: '/dscl'
19 CommandLine|contains: 'create'
20 id_below_500:
21 CommandLine|contains: UniqueID
22 CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'
23 ishidden_option_declaration:
24 CommandLine|contains: 'IsHidden'
25 ishidden_option_confirmation:
26 CommandLine|contains:
27 - 'true'
28 - 'yes'
29 - '1'
30 condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
31falsepositives:
32 - Legitimate administration activities
33level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Disable Security Tools
- Auditing Configuration Changes on Linux Host
- Clear Linux Logs
- Connection Proxy
- File Deletion