From 3358dd47eae9c9a939f7f613053a42822c08d852 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Sun, 11 Oct 2020 17:56:29 +0200 Subject: [PATCH 1/2] macos local account creation --- rules/linux/macos_create_account.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/linux/macos_create_account.yml diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml new file mode 100644 index 000000000..c866aba10 --- /dev/null +++ b/rules/linux/macos_create_account.yml @@ -0,0 +1,25 @@ +title: Creation Of A Local User Account +id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731 +status: experimental +description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. +author: Alejandro Ortuno, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md +logsource: + category: process_creation + product: macos +detection: + selection: + ProcessName|endswith: + - '*/dscl' + CommandLine|contains: + - '. -create *' + condition: selection +falsepositives: + - Legitimate administration activities +level: Admin +tags: + - attack.t1136 # an old one + - attack.t1136.001 + - attack.persistence From 50fde8c13f32587c85931f3c3a7082fe968589e8 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Tue, 13 Oct 2020 10:55:29 +0200 Subject: [PATCH 2/2] minor changes on command line --- rules/linux/macos_create_account.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml index c866aba10..915f90488 100644 --- a/rules/linux/macos_create_account.yml +++ b/rules/linux/macos_create_account.yml @@ -12,13 +12,13 @@ logsource: detection: selection: ProcessName|endswith: - - '*/dscl' + - '/dscl' CommandLine|contains: - - '. -create *' + - 'create' condition: selection falsepositives: - Legitimate administration activities -level: Admin +level: medium tags: - attack.t1136 # an old one - attack.t1136.001