sigmamediumHunting

User Added To Admin Group Via Sysadminctl

Detects attempts to create and add an account to the admin group via "sysadminctl"

MITRE ATT&CK

persistencedefense-evasioninitial-accessprivilege-escalation

Detection Query

selection:
  Image|endswith: /sysadminctl
  CommandLine|contains|all:
    - " -addUser "
    - " -admin "
condition: selection

Author

Sohan G (D4rkCiph3r)

Created

2023-03-19

Data Sources

macosProcess Creation Events

Platforms

macos

References

Tags

attack.persistenceattack.defense-evasionattack.initial-accessattack.privilege-escalationattack.t1078.003

Raw Content

title: User Added To Admin Group Via Sysadminctl
id: 652c098d-dc11-4ba6-8566-c20e89042f2b
related:
    - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
      type: obsolete
status: test
description: Detects attempts to create and add an account to the admin group via "sysadminctl"
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
    - https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-03-19
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.initial-access
    - attack.privilege-escalation
    - attack.t1078.003
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        # Creates and adds new user to admin group
        Image|endswith: '/sysadminctl'
        CommandLine|contains|all:
            - ' -addUser '
            - ' -admin '
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium