creating new accounts after initial endpoint management should be rare in most environments. investigate and tune as needed.

Techniques

T1136

Sample rules

MacOS Account Created

source: splunk
technicques:
- T1136

Description

The following analytic detects the creation of a new local user account on a MacOS system. It leverages osquery logs to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
from datamodel=Endpoint.Processes where

(
    Processes.process = "*sysadminctl"
    Processes.process = "*-addUser*"
)
OR
(
    Processes.process = "*createhomedir*"
    Processes.process = "*-u*"
)
OR
(
    Processes.process = "*dseditgroup*"
    Processes.process IN (
        "*edit*",
        "*-a*"
        )
)
OR
(
    Processes.process = "*dscl*"
    Processes.process = "*-create*"
)

by Processes.dest Processes.original_file_name Processes.parent_process_id
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id
   Processes.process_current_directory Processes.process_name
   Processes.process_path Processes.user Processes.user_id
   Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `macos_account_created_filter`