User Added To Admin Group Via Dscl
Detects attempts to create and add an account to the admin group via "dscl"
Sigma rule (View on GitHub)
1title: User Added To Admin Group Via Dscl
2id: b743623c-2776-40e0-87b1-682b975d0ca5
3related:
4 - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
5 type: obsolete
6status: test
7description: Detects attempts to create and add an account to the admin group via "dscl"
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos
10 - https://ss64.com/osx/dscl.html
11author: Sohan G (D4rkCiph3r)
12date: 2023-03-19
13tags:
14 - attack.initial-access
15 - attack.privilege-escalation
16 - attack.t1078.003
17logsource:
18 category: process_creation
19 product: macos
20detection:
21 selection: # adds to admin group
22 Image|endswith: '/dscl'
23 CommandLine|contains|all:
24 - ' -append '
25 - ' /Groups/admin '
26 - ' GroupMembership '
27 condition: selection
28falsepositives:
29 - Legitimate administration activities
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
dscl Directory Service command line utility. Create, read, and manage Directory Service data. If invoked without any commands, dscl runs in an interactive mode, reading commands from standard input...
Read More
Related rules
- User Added To Admin Group Via DseditGroup
- User Added To Admin Group Via Sysadminctl
- AWS Suspicious SAML Activity
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address