Local System Accounts Discovery - MacOs

Detects enumeration of local systeam accounts on MacOS

Sigma rule (View on GitHub)

 1title: Local System Accounts Discovery - MacOs
 2id: ddf36b67-e872-4507-ab2e-46bda21b842c
 3status: test
 4description: Detects enumeration of local systeam accounts on MacOS
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
 7author: Alejandro Ortuno, oscd.community
 8date: 2020/10/08
 9modified: 2022/11/27
10tags:
11    - attack.discovery
12    - attack.t1087.001
13logsource:
14    category: process_creation
15    product: macos
16detection:
17    selection_1:
18        Image|endswith: '/dscl'
19        CommandLine|contains|all:
20            - 'list'
21            - '/users'
22    selection_2:
23        Image|endswith: '/dscacheutil'
24        CommandLine|contains|all:
25            - '-q'
26            - 'user'
27    selection_3:
28        CommandLine|contains: '''x:0:'''
29    selection_4:
30        Image|endswith: '/cat'
31        CommandLine|contains:
32            - '/etc/passwd'
33            - '/etc/sudoers'
34    selection_5:
35        Image|endswith: '/id'
36    selection_6:
37        Image|endswith: '/lsof'
38        CommandLine|contains: '-u'
39    condition: 1 of selection*
40falsepositives:
41    - Legitimate administration activities
42level: low

References

Related rules

to-top