Merge pull request #4155 from D4rkCiph3r/patch-5

Update proc_creation_macos_add_to_admin_group.yml
2023-08-23 08:57:45 +02:00
parent ea5db35a52 32800437c9
commit 2a2db295ce
4 changed files with 90 additions and 1 deletions
@@ -1,6 +1,6 @@
 title: User Added To Admin Group - MacOS
 id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
-status: experimental
+status: deprecated
 description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
@@ -8,6 +8,7 @@ references:
    - https://ss64.com/osx/sysadminctl.html
 author: Sohan G (D4rkCiph3r)
 date: 2023/03/19
+modified: 2023/08/22
 tags:
    - attack.t1078.003
    - attack.initial_access
@@ -0,0 +1,30 @@
+title: User Added To Admin Group Via Dscl
+id: b743623c-2776-40e0-87b1-682b975d0ca5
+related:
+    - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
+      type: obsoletes
+status: experimental
+description: Detects attempts to create and add an account to the admin group via "dscl"
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos
+    - https://ss64.com/osx/dscl.html
+author: Sohan G (D4rkCiph3r)
+date: 2023/03/19
+tags:
+    - attack.initial_access
+    - attack.privilege_escalation
+    - attack.t1078.003
+logsource:
+    category: process_creation
+    product: macos
+detection:
+    selection: #adds to admin group
+        Image|endswith: '/dscl'
+        CommandLine|contains|all:
+            - ' -append '
+            - ' /Groups/admin '
+            - ' GroupMembership '
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: medium
@@ -0,0 +1,28 @@
+title: User Added To Admin Group Via DseditGroup
+id: 5d0fdb62-f225-42fb-8402-3dfe64da468a
+status: experimental
+description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos
+    - https://ss64.com/osx/dseditgroup.html
+author: Sohan G (D4rkCiph3r)
+date: 2023/08/22
+tags:
+    - attack.initial_access
+    - attack.privilege_escalation
+    - attack.t1078.003
+logsource:
+    category: process_creation
+    product: macos
+detection:
+    selection:
+        Image|endswith: '/dseditgroup'
+        CommandLine|contains|all:
+            - ' -o edit ' #edit operation
+            - ' -a ' # username
+            - ' -t user'
+            - 'admin' # Group name
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: medium
@@ -0,0 +1,30 @@
+title: User Added To Admin Group Via Sysadminctl
+id: 652c098d-dc11-4ba6-8566-c20e89042f2b
+related:
+    - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
+      type: obsoletes
+status: experimental
+description: Detects attempts to create and add an account to the admin group via "sysadminctl"
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
+    - https://ss64.com/osx/sysadminctl.html
+author: Sohan G (D4rkCiph3r)
+date: 2023/03/19
+tags:
+    - attack.initial_access
+    - attack.privilege_escalation
+    - attack.t1078.003
+logsource:
+    category: process_creation
+    product: macos
+detection:
+    selection:
+        # Creates and adds new user to admin group
+        Image|endswith: '/sysadminctl'
+        CommandLine|contains|all:
+            - ' -addUser '
+            - ' -admin '
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: medium