Mac OS User Added To Admin Group
Query
//if you are using an MDM Solution whitelist in the following line
let legitimAdmin = dynamic(["jamfmanager"]);
//User Added To Admin Group Via Dscl
//https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos
let NewAdminDSCL = DeviceProcessEvents
| where FileName == "dscl"
| where ProcessCommandLine has_all ("-append", "/Groups/admin", "GroupMembership")
| extend Activity = "User Added To Admin Group Via Dscl";
//User Added To Admin Group Via DseditGroup
//https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos
let NewAdminDSEDIT = DeviceProcessEvents
| where FileName == "dseditgroup"
| where ProcessCommandLine has_all ("-o edit", "-a", "-t", "admin")
| where not(ProcessCommandLine has_any (legitimAdmin))
| extend Activity = "User Added To Admin Group Via Dseditgroup";
//Root Account Enable Via Dsenableroot
NewAdminDSCL
| union NewAdminDSEDITAbout this query
Explanation
This query is designed to detect when a user is added to the local 'admin' group on a macOS system. It focuses on identifying the use of specific command-line utilities (dscl and dseditgroup) that can add users to the 'admin' group. Here's a simple breakdown of what the query does:
-
Whitelist Legitimate Tools: It starts by defining a list of legitimate tools (like 'jamfmanager') that might add users to the admin group as part of normal operations, to avoid false positives.
-
Detecting
dsclUsage:- It checks for processes where the
dsclcommand is used with specific arguments (-append,/Groups/admin,GroupMembership) that indicate a user is being added to the admin group. - If such a process is found, it labels the activity as "User Added To Admin Group Via Dscl".
- It checks for processes where the
-
Detecting
dseditgroupUsage:- It looks for processes using the
dseditgroupcommand with arguments (-o edit,-a,-t,admin) that suggest a user is being added to the admin group. - It excludes processes that involve any of the whitelisted legitimate tools.
- If such a process is found, it labels the activity as "User Added To Admin Group Via Dseditgroup".
- It looks for processes using the
-
Combining Results:
- It combines the results from both detections (
dsclanddseditgroup) to provide a comprehensive view of any suspicious activity related to adding users to the admin group.
- It combines the results from both detections (
Overall, this query helps in monitoring and alerting on potentially unauthorized changes to the admin group on macOS systems, which could be indicative of malicious activity.
