EXPLORE
← Back to Explore
jamf_protectlowTTP

Root User Enabled or Password Changed

This detection functions by monitoring for expected changes made to the /var/db/dslocal/nodes/Default/users/root.plist file when these events occur.

Detection Query

$event.path == "/var/db/dslocal/nodes/Default/users/root.plist" AND $event.isModified == 1 AND $event.file.contentsAsDict.accountPolicyData.asPlistDict.passwordLastSetTime != $event.file.snapshotData.asPlistDict.accountPolicyData.asPlistDict.passwordLastSetTime

Author

Jamf

Data Sources

File System EventsmacOS Endpoint Security

Platforms

macos

Tags

VisibilitySystem Changes
Raw Content
---
name: RootUserEnabledOrPasswordChanged
uuid: 80f3ef6c-fb39-428f-8bc4-7605561ae85f
longDescription: This detection functions by monitoring for expected changes made to the /var/db/dslocal/nodes/Default/users/root.plist file when these events occur.
level: 0
inputType: GPFSEvent
tags: null
snapshotFiles: []
filter: $event.path == "/var/db/dslocal/nodes/Default/users/root.plist" AND
  $event.isModified == 1 AND
  $event.file.contentsAsDict.accountPolicyData.asPlistDict.passwordLastSetTime != $event.file.snapshotData.asPlistDict.accountPolicyData.asPlistDict.passwordLastSetTime
actions:
  - name: Log
context: []
categories:
  - Visibility
  - System Changes
version: 1
severity: Low
shortDescription: The root user has either been enabled or a new password has been set.
label: Root User Enabled or Password Changed
remediation: null
MitreCategories: null