From 6a9d887c47635a47490e889f53e20eb0221dda15 Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Thu, 30 Mar 2023 11:26:52 +0530 Subject: [PATCH 1/4] Update proc_creation_macos_add_to_admin_group.yml Restructured another detection from this rule "proc_creation_macos_enable_root_account.yml"(PR Pending) to here. --- .../proc_creation_macos_add_to_admin_group.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml index 9e221ddb6..e5df9247d 100644 --- a/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml @@ -27,6 +27,13 @@ detection: - ' -append ' - ' /Groups/admin ' - ' GroupMembership ' + selection_dseditgroup: + Image|endswith: '/dseditgroup' + CommandLine|contains|all: + - ' -o edit ' #edit operation + - ' -a ' #name of the record(username) + - ' -t ' #type of the record(usergroup) + - 'admin' condition: 1 of selection_* falsepositives: - Legitimate administration activities From 36624981372fd53a6c35216a9b5a6e95fad42727 Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Thu, 30 Mar 2023 11:34:38 +0530 Subject: [PATCH 2/4] Update proc_creation_macos_add_to_admin_group.yml --- .../process_creation/proc_creation_macos_add_to_admin_group.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml index e5df9247d..5550cadbe 100644 --- a/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml @@ -8,6 +8,7 @@ references: - https://ss64.com/osx/sysadminctl.html author: Sohan G (D4rkCiph3r) date: 2023/03/19 +modified: 2023/03/30 tags: - attack.t1078.003 - attack.initial_access From 0f1f792ef9d4fa318e314395a7985e8ff606f7a5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 22 Aug 2023 17:48:06 +0200 Subject: [PATCH 3/4] chore: split rules --- ...proc_creation_macos_add_to_admin_group.yml | 11 ++----- ...ion_macos_dscl_add_user_to_admin_group.yml | 30 +++++++++++++++++++ ...n_macos_dseditgroup_add_to_admin_group.yml | 28 +++++++++++++++++ ...os_sysadminctl_add_user_to_admin_group.yml | 30 +++++++++++++++++++ 4 files changed, 90 insertions(+), 9 deletions(-) rename {rules/macos/process_creation => rules-deprecated/macos}/proc_creation_macos_add_to_admin_group.yml (79%) create mode 100644 rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml create mode 100644 rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml create mode 100644 rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml diff --git a/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml b/rules-deprecated/macos/proc_creation_macos_add_to_admin_group.yml similarity index 79% rename from rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml rename to rules-deprecated/macos/proc_creation_macos_add_to_admin_group.yml index 5550cadbe..ba813bf25 100644 --- a/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml +++ b/rules-deprecated/macos/proc_creation_macos_add_to_admin_group.yml @@ -1,6 +1,6 @@ title: User Added To Admin Group - MacOS id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b -status: experimental +status: deprecated description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos @@ -8,7 +8,7 @@ references: - https://ss64.com/osx/sysadminctl.html author: Sohan G (D4rkCiph3r) date: 2023/03/19 -modified: 2023/03/30 +modified: 2023/08/22 tags: - attack.t1078.003 - attack.initial_access @@ -28,13 +28,6 @@ detection: - ' -append ' - ' /Groups/admin ' - ' GroupMembership ' - selection_dseditgroup: - Image|endswith: '/dseditgroup' - CommandLine|contains|all: - - ' -o edit ' #edit operation - - ' -a ' #name of the record(username) - - ' -t ' #type of the record(usergroup) - - 'admin' condition: 1 of selection_* falsepositives: - Legitimate administration activities diff --git a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml new file mode 100644 index 000000000..c43d0806a --- /dev/null +++ b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml @@ -0,0 +1,30 @@ +title: User Added To Admin Group Via Dscl +id: b743623c-2776-40e0-87b1-682b975d0ca5 +related: + - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b + type: obsoletes +status: experimental +description: Detects attempts to create and add an account to the admin group via "dscl" +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos + - https://ss64.com/osx/dscl.html +author: Sohan G (D4rkCiph3r) +date: 2023/03/19 +tags: + - attack.initial_access + - attack.privilege_escalation + - attack.t1078.003 +logsource: + category: process_creation + product: macos +detection: + selection: #adds to admin group + Image|endswith: '/dscl' + CommandLine|contains|all: + - ' -append ' + - ' /Groups/admin ' + - ' GroupMembership ' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium diff --git a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml new file mode 100644 index 000000000..e1f427eb9 --- /dev/null +++ b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml @@ -0,0 +1,28 @@ +title: User Added To Admin Group - MacOS +id: 5d0fdb62-f225-42fb-8402-3dfe64da468a +status: experimental +description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos + - https://ss64.com/osx/dseditgroup.html +author: Sohan G (D4rkCiph3r) +date: 2023/08/22 +tags: + - attack.initial_access + - attack.privilege_escalation + - attack.t1078.003 +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: '/dseditgroup' + CommandLine|contains|all: + - ' -o edit ' #edit operation + - ' -a ' # username + - ' -t user' + - 'admin' # Group name + condition: selection +falsepositives: + - Legitimate administration activities +level: medium diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml new file mode 100644 index 000000000..100a907ad --- /dev/null +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml @@ -0,0 +1,30 @@ +title: User Added To Admin Group Via Sysadminctl +id: 652c098d-dc11-4ba6-8566-c20e89042f2b +related: + - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b + type: obsoletes +status: experimental +description: Detects attempts to create and add an account to the admin group via "sysadminctl" +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos + - https://ss64.com/osx/sysadminctl.html +author: Sohan G (D4rkCiph3r) +date: 2023/03/19 +tags: + - attack.initial_access + - attack.privilege_escalation + - attack.t1078.003 +logsource: + category: process_creation + product: macos +detection: + selection: + # Creates and adds new user to admin group + Image|endswith: '/sysadminctl' + CommandLine|contains|all: + - ' -addUser ' + - ' -admin ' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium From 32800437c99cb3fdf97dd1c7013aeebcf5d78984 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 22 Aug 2023 17:55:17 +0200 Subject: [PATCH 4/4] Update proc_creation_macos_dseditgroup_add_to_admin_group.yml --- .../proc_creation_macos_dseditgroup_add_to_admin_group.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml index e1f427eb9..d28829fa4 100644 --- a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml @@ -1,4 +1,4 @@ -title: User Added To Admin Group - MacOS +title: User Added To Admin Group Via DseditGroup id: 5d0fdb62-f225-42fb-8402-3dfe64da468a status: experimental description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.