| ID | Technique | Tactic |
|---|---|---|
| T1136 | Create Account | Persistence |
Detection: MacOS Account Created
Description
The following analytic detects the creation of a new local user account on a MacOS system. It leverages osquery logs to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.
Search
1
2| tstats `security_content_summariesonly`
3 count min(_time) as firstTime
4 max(_time) as lastTime
5from datamodel=Endpoint.Processes where
6
7(
8 Processes.process = "*sysadminctl"
9 Processes.process = "*-addUser*"
10)
11OR
12(
13 Processes.process = "*createhomedir*"
14 Processes.process = "*-u*"
15)
16OR
17(
18 Processes.process = "*dseditgroup*"
19 Processes.process IN (
20 "*edit*",
21 "*-a*"
22 )
23)
24OR
25(
26 Processes.process = "*dscl*"
27 Processes.process = "*-create*"
28)
29
30by Processes.dest Processes.original_file_name Processes.parent_process_id
31 Processes.process Processes.process_exec Processes.process_guid
32 Processes.process_hash Processes.process_id
33 Processes.process_current_directory Processes.process_name
34 Processes.process_path Processes.user Processes.user_id
35 Processes.vendor_product
36
37
38| `drop_dm_object_name(Processes)`
39
40| `security_content_ctime(firstTime)`
41
42| `security_content_ctime(lastTime)`
43
44| `macos_account_created_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Osquery Results | Other | 'osquery:results' |
'osquery' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| macos_account_created_filter | search * |
macos_account_created_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Installation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. Also the TA-OSquery must be deployed across your indexers and universal forwarders in order to have the osquery data populate the data models.
Known False Positives
Creating new accounts after initial endpoint management should be rare in most environments. Investigate and tune as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
New local account created on $dest$ by $user$ via $process$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 20 | process |
| user | user | 20 | process |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | osquery |
osquery:results |
| Integration | ✅ Passing | Dataset | osquery |
osquery:results |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2