macOS User Added to Admin Group Detection

This detection rule identifies instances of users being added to the ‘admin’ group on macOS systems. This is a critical security concern, as it can be indicative of privilege escalation attempts by malicious actors or unauthorized users. The rule is designed to function with data ingested from Jamf Protect into the Elastic Security platform, providing a means to detect this specific type of activity within macOS environments. The rule was last updated in May 2026 and leverages EQL for its detection logic. By monitoring for these events, security teams can quickly identify and respond to potential privilege escalation attempts, mitigating the risk of unauthorized access and control over macOS systems.

Attack Chain

1. A user with sufficient privileges executes a command-line tool like dscl to modify group membership.
2. The dscl command targets the local directory service to modify the “admin” group.
3. The command adds a specific username to the list of members of the “admin” group.
4. The operating system processes the directory service modification request and updates group membership.
5. The system logs the event as a change to group membership, specifically “od_group_add” for the “admin” group.
6. Jamf Protect detects this event and forwards the telemetry to the Elastic platform.
7. The Elastic detection rule triggers based on the received event data.
8. An alert is generated, prompting security analysts to investigate potential privilege escalation.

Impact

Successful privilege escalation can grant an attacker complete control over the affected macOS system. This can lead to unauthorized data access, modification, or deletion, as well as the installation of malware or other malicious software. While the risk score is relatively low (21), the potential impact of a successful attack necessitates monitoring for this behavior. Post-privilege escalation, attackers can establish persistence, install software, create new user accounts, or perform lateral movement within the network.

Recommendation

• Configure Jamf Protect to forward macOS endpoint events to the Elastic platform to enable the detections in this brief.
• Deploy the Sigma rule macOS User Added to Admin Group via dscl to detect potential privilege escalation attempts.
• Investigate any alerts generated by this rule by reviewing the actions taken by the affected user immediately after being added to the admin group, looking for persistence mechanisms or unauthorized software installs.
• Use the provided investigation queries in the rule’s metadata to find related events from the host or parent process.