Root Account Enable Via Dsenableroot

Detects attempts to enable the root account via "dsenableroot"

Sigma rule (View on GitHub)

 1title: Root Account Enable Via Dsenableroot
 2id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11
 3status: test
 4description: Detects attempts to enable the root account via "dsenableroot"
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
 7    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
 8    - https://ss64.com/osx/dsenableroot.html
 9author: Sohan G (D4rkCiph3r)
10date: 2023/08/22
11tags:
12    - attack.t1078
13    - attack.t1078.001
14    - attack.t1078.003
15    - attack.initial_access
16    - attack.persistence
17logsource:
18    category: process_creation
19    product: macos
20detection:
21    selection:
22        Image|endswith: '/dsenableroot'
23    filter_main_disable:
24        CommandLine|contains: ' -d '
25    condition: selection and not 1 of filter_main_*
26falsepositives:
27    - Unknown
28level: medium

References

Related rules

to-top