← Back to Explore
sigmalowHunting
Local System Accounts Discovery - MacOs
Detects enumeration of local system accounts on MacOS systems. This can be used by attackers to identify accounts for lateral movement or privilege escalation.
Detection Query
selection_dscl:
Image|endswith: /dscl
CommandLine|contains|all:
- list
- /users
selection_dscacheutil:
Image|endswith: /dscacheutil
CommandLine|contains|all:
- -q
- user
selection_root:
CommandLine|contains: "'*:0:'"
selection_passwd_sudo:
Image|endswith:
- /cat
- /awk
- /grep
CommandLine|contains:
- /etc/passwd
- /etc/sudoers
selection_id:
Image|endswith: /id
selection_lsof:
Image|endswith: /lsof
CommandLine|contains: -u
selection_logged_in_users:
Image|endswith:
- /who
- /w
- /users
- /last
selection_home_dir_listing:
Image|endswith: /ls
CommandLine|endswith:
- /Users
- /Users'
- /Users"
selection_loginwindow_prefs:
Image|endswith:
- /defaults
- /plutil
CommandLine|contains: com.apple.loginwindow
condition: 1 of selection*
Author
Alejandro Ortuno, oscd.community
Created
2020-10-08
Data Sources
macosProcess Creation Events
Platforms
macos
References
Tags
attack.discoveryattack.t1087.001
Raw Content
title: Local System Accounts Discovery - MacOs
id: ddf36b67-e872-4507-ab2e-46bda21b842c
status: test
description: |
Detects enumeration of local system accounts on MacOS systems.
This can be used by attackers to identify accounts for lateral movement or privilege escalation.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
- https://ss64.com/osx/dscl.html
- https://ss64.com/mac/dscacheutil.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-08
modified: 2026-07-07
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: macos
detection:
selection_dscl:
Image|endswith: '/dscl'
CommandLine|contains|all:
- 'list'
- '/users'
selection_dscacheutil:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'user'
selection_root:
CommandLine|contains: '''*:0:'''
selection_passwd_sudo:
Image|endswith:
- '/cat'
- '/awk'
- '/grep'
CommandLine|contains:
- '/etc/passwd'
- '/etc/sudoers'
selection_id:
Image|endswith: '/id'
selection_lsof:
Image|endswith: '/lsof'
CommandLine|contains: '-u'
selection_logged_in_users:
Image|endswith:
- '/who'
- '/w'
- '/users'
- '/last'
selection_home_dir_listing:
Image|endswith: '/ls'
CommandLine|endswith:
- '/Users'
- "/Users'"
- '/Users"'
selection_loginwindow_prefs:
Image|endswith:
- '/defaults' # defaults read /Library/Preferences/com.apple.loginwindow
- '/plutil' # plutil -p /Library/Preferences/com.apple.loginwindow.plist
CommandLine|contains: 'com.apple.loginwindow'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low