Guest Account Enabled Via Sysadminctl

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.initial-access attack.t1078 attack.t1078.001  ·
Share on: linkedin copy

Detects attempts to enable the guest account using the sysadminctl utility

Sigma rule (View on GitHub)

 1title: Guest Account Enabled Via Sysadminctl
 2id: d7329412-13bd-44ba-a072-3387f804a106
 3status: test
 4description: Detects attempts to enable the guest account using the sysadminctl utility
 5references:
 6    - https://ss64.com/osx/sysadminctl.html
 7author: Sohan G (D4rkCiph3r)
 8date: 2023-02-18
 9tags:
10    - attack.privilege-escalation
11    - attack.persistence
12    - attack.defense-evasion
13    - attack.initial-access
14    - attack.t1078
15    - attack.t1078.001
16logsource:
17    category: process_creation
18    product: macos
19detection:
20    selection:
21        Image|endswith: '/sysadminctl'
22        CommandLine|contains|all:
23            # By default the guest account is not active
24            - ' -guestAccount'
25            - ' on'
26    condition: selection
27falsepositives:
28    - Unknown
29level: low

References

  • sysadminctl Man Page - macOS - SS64.com

    sysadminctl Administer system user accounts. sysadminctl can be used to change user passwords, create new users (including automatically provisioning the user home folder) or to check the status of...


    Read More

Related rules

to-top