Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
Sigma rule (View on GitHub)
1title: Root Account Enable Via Dsenableroot
2id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11
3status: test
4description: Detects attempts to enable the root account via "dsenableroot"
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
7 - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
8 - https://ss64.com/osx/dsenableroot.html
9author: Sohan G (D4rkCiph3r)
10date: 2023-08-22
11tags:
12 - attack.privilege-escalation
13 - attack.defense-evasion
14 - attack.t1078
15 - attack.t1078.001
16 - attack.t1078.003
17 - attack.initial-access
18 - attack.persistence
19logsource:
20 category: process_creation
21 product: macos
22detection:
23 selection:
24 Image|endswith: '/dsenableroot'
25 filter_main_disable:
26 CommandLine|contains: ' -d '
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unknown
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
-
dsenableroot Enable or disable the root account. Syntax dsenableroot [-d] [-u username] [-p password] [-r rootPassword] Key -u Username of a user that has administrative privileges on this computer...
Read More
Related rules
- Admin User Remote Logon
- Guest Account Enabled Via Sysadminctl
- AWS Key Pair Import Activity
- AWS Suspicious SAML Activity
- Account Created And Deleted Within A Close Time Frame