splApache-2.0from splunk/security_content
MacOS Account Created
The following analytic detects the creation of a new local user account on a MacOS system. It leverages osquery logs to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/macos_account_created.yml
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.process = "*sysadminctl"
Processes.process = "*-addUser*"
)
OR
(
Processes.process = "*createhomedir*"
Processes.process = "*-u*"
)
OR
(
Processes.process = "*dseditgroup*"
Processes.process IN (
"*edit*",
"*-a*"
)
)
OR
(
Processes.process = "*dscl*"
Processes.process = "*-create*"
)
by Processes.dest Processes.original_file_name Processes.parent_process_id
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id
Processes.process_current_directory Processes.process_name
Processes.process_path Processes.user Processes.user_id
Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_account_created_filter`