Guest Account Enabled Via Sysadminctl
Detects attempts to enable the guest account using the sysadminctl utility
Sigma rule (View on GitHub)
1title: Guest Account Enabled Via Sysadminctl
2id: d7329412-13bd-44ba-a072-3387f804a106
3status: test
4description: Detects attempts to enable the guest account using the sysadminctl utility
5references:
6 - https://ss64.com/osx/sysadminctl.html
7author: Sohan G (D4rkCiph3r)
8date: 2023-02-18
9tags:
10 - attack.initial-access
11 - attack.t1078
12 - attack.t1078.001
13logsource:
14 category: process_creation
15 product: macos
16detection:
17 selection:
18 Image|endswith: '/sysadminctl'
19 CommandLine|contains|all:
20 # By default the guest account is not active
21 - ' -guestAccount'
22 - ' on'
23 condition: selection
24falsepositives:
25 - Unknown
26level: low
References
-
sysadminctl Administer system user accounts. sysadminctl can be used to change user passwords, create new users (including automatically provisioning the user home folder) or to check the status of...
Read More
Related rules
- Root Account Enable Via Dsenableroot
- AWS Suspicious SAML Activity
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow