User Added To Admin Group Via Dscl
Detects attempts to create and add an account to the admin group via "dscl"
Sigma rule (View on GitHub)
1title: User Added To Admin Group Via Dscl
2id: b743623c-2776-40e0-87b1-682b975d0ca5
3related:
4 - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
5 type: obsolete
6status: test
7description: Detects attempts to create and add an account to the admin group via "dscl"
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos
10 - https://ss64.com/osx/dscl.html
11author: Sohan G (D4rkCiph3r)
12date: 2023-03-19
13tags:
14 - attack.persistence
15 - attack.defense-evasion
16 - attack.initial-access
17 - attack.privilege-escalation
18 - attack.t1078.003
19logsource:
20 category: process_creation
21 product: macos
22detection:
23 selection: # adds to admin group
24 Image|endswith: '/dscl'
25 CommandLine|contains|all:
26 - ' -append '
27 - ' /Groups/admin '
28 - ' GroupMembership '
29 condition: selection
30falsepositives:
31 - Legitimate administration activities
32level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
dscl Directory Service command line utility. Create, read, and manage Directory Service data. If invoked without any commands, dscl runs in an interactive mode, reading commands from standard input...
Read More
Related rules
- Admin User Remote Logon
- Root Account Enable Via Dsenableroot
- User Added To Admin Group Via DseditGroup
- User Added To Admin Group Via Sysadminctl
- AWS IAM S3Browser LoginProfile Creation