Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
Sigma rule (View on GitHub)
1title: Root Account Enable Via Dsenableroot
2id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11
3status: test
4description: Detects attempts to enable the root account via "dsenableroot"
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
7 - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
8 - https://ss64.com/osx/dsenableroot.html
9author: Sohan G (D4rkCiph3r)
10date: 2023-08-22
11tags:
12 - attack.t1078
13 - attack.t1078.001
14 - attack.t1078.003
15 - attack.initial-access
16 - attack.persistence
17logsource:
18 category: process_creation
19 product: macos
20detection:
21 selection:
22 Image|endswith: '/dsenableroot'
23 filter_main_disable:
24 CommandLine|contains: ' -d '
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Unknown
28level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
-
dsenableroot Enable or disable the root account. Syntax dsenableroot [-d] [-u username] [-p password] [-r rootPassword] Key -u Username of a user that has administrative privileges on this computer...
Read More
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel