EXPLORE
← Back to Explore
sigmalowHunting

Local System Accounts Discovery - MacOs

Detects enumeration of local system accounts on MacOS systems. This can be used by attackers to identify accounts for lateral movement or privilege escalation.

MITRE ATT&CK

discovery

Detection Query

selection_dscl:
  Image|endswith: /dscl
  CommandLine|contains|all:
    - list
    - /users
selection_dscacheutil:
  Image|endswith: /dscacheutil
  CommandLine|contains|all:
    - -q
    - user
selection_root:
  CommandLine|contains: "'*:0:'"
selection_passwd_sudo:
  Image|endswith:
    - /cat
    - /awk
    - /grep
  CommandLine|contains:
    - /etc/passwd
    - /etc/sudoers
selection_id:
  Image|endswith: /id
selection_lsof:
  Image|endswith: /lsof
  CommandLine|contains: -u
selection_logged_in_users:
  Image|endswith:
    - /who
    - /w
    - /users
    - /last
selection_home_dir_listing:
  Image|endswith: /ls
  CommandLine|endswith:
    - /Users
    - /Users'
    - /Users"
selection_loginwindow_prefs:
  Image|endswith:
    - /defaults
    - /plutil
  CommandLine|contains: com.apple.loginwindow
condition: 1 of selection*

Author

Alejandro Ortuno, oscd.community

Created

2020-10-08

Data Sources

macosProcess Creation Events

Platforms

macos

Tags

attack.discoveryattack.t1087.001
Raw Content
title: Local System Accounts Discovery - MacOs
id: ddf36b67-e872-4507-ab2e-46bda21b842c
status: test
description: |
    Detects enumeration of local system accounts on MacOS systems.
    This can be used by attackers to identify accounts for lateral movement or privilege escalation.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
    - https://ss64.com/osx/dscl.html
    - https://ss64.com/mac/dscacheutil.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-08
modified: 2026-07-07
tags:
    - attack.discovery
    - attack.t1087.001
logsource:
    category: process_creation
    product: macos
detection:
    selection_dscl:
        Image|endswith: '/dscl'
        CommandLine|contains|all:
            - 'list'
            - '/users'
    selection_dscacheutil:
        Image|endswith: '/dscacheutil'
        CommandLine|contains|all:
            - '-q'
            - 'user'
    selection_root:
        CommandLine|contains: '''*:0:'''
    selection_passwd_sudo:
        Image|endswith:
            - '/cat'
            - '/awk'
            - '/grep'
        CommandLine|contains:
            - '/etc/passwd'
            - '/etc/sudoers'
    selection_id:
        Image|endswith: '/id'
    selection_lsof:
        Image|endswith: '/lsof'
        CommandLine|contains: '-u'
    selection_logged_in_users:
        Image|endswith:
            - '/who'
            - '/w'
            - '/users'
            - '/last'
    selection_home_dir_listing:
        Image|endswith: '/ls'
        CommandLine|endswith:
            - '/Users'
            - "/Users'"
            - '/Users"'
    selection_loginwindow_prefs:
        Image|endswith:
            - '/defaults' # defaults read /Library/Preferences/com.apple.loginwindow
            - '/plutil' # plutil -p /Library/Preferences/com.apple.loginwindow.plist
        CommandLine|contains: 'com.apple.loginwindow'
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: low