Create proc_creation_macos_enable_guest_account.yml (SigmaHQ#4054)

SavinSpring · Feb 20, 2023 · d0af939 · d0af939
1 parent f9a73c7
commit d0af939
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml
@@ -0,0 +1,26 @@
+title: Guest Account Enabled Via Sysadminctl
+id: d7329412-13bd-44ba-a072-3387f804a106
+status: experimental
+description: Detects attempts to enable the guest account using the sysadminctl utility
+references:
+    - https://ss64.com/osx/sysadminctl.html
+author: Sohan G (D4rkCiph3r)
+date: 2023/02/18
+tags:
+    - attack.initial_access
+    - attack.t1078
+    - attack.t1078.001
+logsource:
+    category: process_creation
+    product: macos
+detection:
+    selection:
+        Image|endswith: '/sysadminctl'
+        CommandLine|contains|all:
+            # By default the guest account is not active
+            - ' -guestAccount'
+            - ' on'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low