← Back to Explore
jamf_protectlowTTP
Root User Enabled or Password Changed
This detection functions by monitoring for expected changes made to the /var/db/dslocal/nodes/Default/users/root.plist file when these events occur.
Detection Query
$event.path == "/var/db/dslocal/nodes/Default/users/root.plist" AND $event.isModified == 1 AND $event.file.contentsAsDict.accountPolicyData.asPlistDict.passwordLastSetTime != $event.file.snapshotData.asPlistDict.accountPolicyData.asPlistDict.passwordLastSetTimeAuthor
Jamf
Data Sources
File System EventsmacOS Endpoint Security
Platforms
macos
Tags
VisibilitySystem Changes
Raw Content
---
name: RootUserEnabledOrPasswordChanged
uuid: 80f3ef6c-fb39-428f-8bc4-7605561ae85f
longDescription: This detection functions by monitoring for expected changes made to the /var/db/dslocal/nodes/Default/users/root.plist file when these events occur.
level: 0
inputType: GPFSEvent
tags: null
snapshotFiles: []
filter: $event.path == "/var/db/dslocal/nodes/Default/users/root.plist" AND
$event.isModified == 1 AND
$event.file.contentsAsDict.accountPolicyData.asPlistDict.passwordLastSetTime != $event.file.snapshotData.asPlistDict.accountPolicyData.asPlistDict.passwordLastSetTime
actions:
- name: Log
context: []
categories:
- Visibility
- System Changes
version: 1
severity: Low
shortDescription: The root user has either been enabled or a new password has been set.
label: Root User Enabled or Password Changed
remediation: null
MitreCategories: null