heroui logo

Potential Admin Group Account Addition

Elastic Detection Rules

View Source
Summary
This rule detects potential privilege escalation attempts on macOS systems by identifying actions that add accounts to the admin group via command line tools such as `dscl` and `dseditgroup`. The detection leverages specific arguments that indicate an intent to modify admin group memberships. The rule explicitly excludes legitimate management applications to minimize false positives, ensuring that alerts are only triggered for potential malicious activity. Monitoring these actions can help organizations respond to unauthorized privilege escalations swiftly, thereby enhancing endpoint security.
Categories
  • Endpoint
  • macOS
Data Sources
  • Process
  • Application Log
ATT&CK Techniques
  • T1078
  • T1078.003
Created: 2020-01-05