Dumping Account Hashes via Built-In Commands on macOS

This detection rule identifies the execution of macOS built-in commands that can be used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can then be cracked or leveraged for lateral movement within the network. The rule specifically targets the defaults, mkpassdb, dscl, plutil, cat, strings, xxd, and head commands when used with arguments indicative of hash dumping, such as ShadowHashData or file paths to user .plist files in /var/db/dslocal/nodes/Default/users/. This activity is often performed post-exploitation to gain further access to systems and sensitive data. The rule requires data from Elastic Defend.

Attack Chain

1. An attacker gains initial access to a macOS system through an exploit, phishing, or other means.
2. The attacker executes the defaults command with arguments such as ShadowHashData to attempt to retrieve shadow hash data.
3. Alternatively, the attacker uses the mkpassdb command with the -dump argument to dump the password database.
4. The attacker might use the dscl command with arguments containing ShadowHashData to query user information, including hashes.
5. The attacker attempts to read user .plist files from /var/db/dslocal/nodes/Default/users/ using plutil, cat, strings, xxd, or head.
6. The attacker extracts the password hashes from the output of the commands.
7. The attacker cracks the password hashes using tools like hashcat or John the Ripper.
8. The attacker uses the cracked credentials to move laterally to other systems or access sensitive data.

Impact

Successful execution of these commands allows an attacker to obtain user account hashes, which can then be cracked to reveal passwords. This can lead to unauthorized access to sensitive data, lateral movement within the network, and potentially complete compromise of the affected systems and the network as a whole. A successful attack can impact all macOS systems within an organization.

Recommendation

• Enable Elastic Defend integration for macOS endpoints to collect the necessary process execution data (as described in the rule setup).
• Deploy the “Dumping Account Hashes via Built-In Commands” rule to your Elastic SIEM environment and tune false positives using the guidance in the rule’s note section.
• Monitor process creation events for the execution of defaults, mkpassdb, dscl, plutil, cat, strings, xxd, and head with arguments indicative of hash dumping (see the rule’s query definition).
• Investigate any alerts generated by the “Dumping Account Hashes via Built-In Commands” rule, following the triage steps in the rule’s note section.