Detectionmediumtest

User Added To Admin Group Via Dscl

Detects attempts to create and add an account to the admin group via "dscl"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sohan G (D4rkCiph3r)Created Sun Mar 19b743623c-2776-40e0-87b1-682b975d0ca5macos

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection: # adds to admin group
        Image|endswith: '/dscl'
        CommandLine|contains|all:
            - ' -append '
            - ' /Groups/admin '
            - ' GroupMembership '
    condition: selection

False Positives

Legitimate administration activities

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion TA0001 · Initial Access TA0004 · Privilege Escalation

Sub-techniques

T1078.003 · Local Accounts

Related Rules

Similar

0c1ffcf9-efa9-436e-ab68-23a9496ebf5b

Rule not found

Rule Metadata

Rule ID

b743623c-2776-40e0-87b1-682b975d0ca5

Status

test

Level

medium

Type

Detection

Created

Sun Mar 19

Author

Sohan G (D4rkCiph3r)

Path

rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.initial-accessattack.privilege-escalationattack.t1078.003

View on GitHub