macOS Local System Accounts Discovery
Adversaries leverage various built-in macOS utilities and commands, such as `dscl`, `dscacheutil`, `cat /etc/passwd`, `id`, `lsof`, `who`, `w`, `users`, `last`, `ls /Users`, `defaults`, and `plutil`, to enumerate local system accounts, facilitating lateral movement or privilege escalation within a compromised macOS environment.
This brief highlights the post-exploitation technique of discovering local system accounts on macOS environments. Threat actors, once gaining initial access, commonly employ a range of native macOS commands and utilities to map out the system's user landscape. These tools include directory service commands like dscl and dscacheutil, file system commands such as cat for /etc/passwd, and user enumeration commands like id, who, w, users, and last. Additionally, attackers may inspect home directories via ls /Users or system preference files using defaults and plutil to gather information about logged-in users or login configurations. The primary motivation for this reconnaissance is to identify potential targets for lateral movement, privilege escalation, or to understand the scope of user access on the compromised machine. This activity is a crucial step in the adversary's playbook, enabling them to expand their foothold and achieve their ultimate objectives, which could range from data exfiltration to deploying malware.
Attack Chain
- Initial Access (Assumed): An adversary gains an initial foothold on a macOS system through an unspecified mechanism (e.g., malware execution, compromised credentials, exploitation of a vulnerability).
- Execute
dsclfor User Listing: The attacker executesdscl . -list /Usersto list all local user accounts present on the system. - Execute
dscacheutilfor User Information: The attacker runsdscacheutil -q userto query the directory service cache for detailed user information. - Inspect System Files for Accounts: The attacker uses commands like
cat /etc/passwd, potentially piped throughawkorgrep, to identify user accounts and their associated UIDs. - Enumerate Current and Past Logged-in Users: Commands such as
id,who,w,users, andlastare used to determine currently active sessions, user IDs, and recent login history. - Scan User Home Directories: The adversary lists the contents of the
/Usersdirectory usingls /Usersto identify existing user profiles. - Inspect Login Window Preferences: The attacker uses
defaults read /Library/Preferences/com.apple.loginwindoworplutil -p /Library/Preferences/com.apple.loginwindow.plistto extract login window configurations, which might reveal additional user or system details. - Information Consolidation and Next Steps: The gathered account information is then used to plan further actions, such as targeting specific users for credential compromise, attempting privilege escalation, or facilitating lateral movement to other systems.
Impact
Successful enumeration of local system accounts provides adversaries with critical intelligence regarding potential targets for further compromise. This information can be leveraged to craft more effective phishing campaigns, identify users with elevated privileges, or determine accounts that are infrequently used but still active, making them ideal for persistence or lateral movement. The ultimate impact can range from expanded access within the network, unauthorized data exfiltration, to the deployment of ransomware or other destructive payloads if administrative accounts are identified and compromised. While this specific activity is informational, it directly contributes to more severe stages of an attack.
Recommendation
- Deploy the Sigma rule "macOS Local System Accounts Discovery" to your SIEM to detect suspicious enumeration activity.
- Ensure macOS process creation logging is enabled for all endpoints to allow the above rule to function effectively.
- Review alerts generated by this rule to identify legitimate administrative activities versus potential malicious reconnaissance.
- Implement strong authentication mechanisms and privilege access management (PAM) solutions to limit the impact of compromised credentials identified via such discovery activities.
Detection coverage 1
macOS Local System Accounts Discovery
lowDetects enumeration of local system accounts on macOS systems using various built-in utilities, indicative of reconnaissance for lateral movement or privilege escalation.
Detection queries are available on the platform. Get full rules →