security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/deprecated/macos/proc_creation_macos_add_to_admin_group.yml
T
Nasreddine Bencherchali bdffe3a7fe Merge PR #4406 from @nasbench - Multiple Updates & Additions 
new: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
new: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
new: CVE-2023-40477 Potential Exploitation - .REV File Creation
new: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
new: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
new: LOL-Binary Copied From System Directory
new: LSASS Dump Keyword In CommandLine
new: Old TLS1.0/TLS1.1 Protocol Version Enabled
new: Potentially Suspicious Child Process Of WinRAR.EXE
new: VMMap Signed Dbghelp.DLL Potential Sideloading
update: 7Zip Compressing Dump Files - Reduce level
update: LOLBIN Execution From Abnormal Drive
update: LSASS Memory Dump File Creation - Deprecated
update: Potential Browser Data Stealing - Increase coverage with more browsers
update: Potentially Suspicious Compression Tool Parameters
update: Potentially Suspicious Windows App Activity - Fix FP, increase coverage and reduce level
update: Rundll32 Execution Without CommandLine Parameters - Add CLI variations
update: Suspicious Child Process Of Manage Engine ServiceDesk
update: Suspicious Copy From or To System Directory - Add new folder "WinSxS"
update: VMMap Unsigned Dbghelp.DLL Potential Sideloading
update: Winrar Execution in Non-Standard Folder
update: Wscript Execution from Non C Drive - Deprecated

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-09-07 11:42:15 +02:00

35 lines
1.2 KiB
YAML
Raw Blame History

title: User Added To Admin Group - MacOS
id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
status: deprecated
description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
- https://ss64.com/osx/dscl.html
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023/03/19
modified: 2023/08/22
tags:
- attack.t1078.003
- attack.initial_access
- attack.privilege_escalation
logsource:
category: process_creation
product: macos
detection:
selection_sysadminctl: #creates and adds new user to admin group
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
- ' -addUser '
- ' -admin '
selection_dscl: #adds to admin group
Image|endswith: '/dscl'
CommandLine|contains|all:
- ' -append '
- ' /Groups/admin '
- ' GroupMembership '
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: medium
Reference in New Issue View Git Blame Copy Permalink