Attack Chain

1. A user with sufficient privileges executes a command-line tool like dscl to modify group membership.
2. The dscl command targets the local directory service to modify the “admin” group.
3. The command adds a specific username to the list of members of the “admin” group.
4. The operating system processes the directory service modification request and updates group membership.
5. The system logs the event as a change to group membership, specifically “od_group_add” for the “admin” group.
6. Jamf Protect detects this event and forwards the telemetry to the Elastic platform.
7. The Elastic detection rule triggers based on the received event data.
8. An alert is generated, prompting security analysts to investigate potential privilege escalation.

Impact

Successful privilege escalation can grant an attacker complete control over the affected macOS system. This can lead to unauthorized data access, modification, or deletion, as well as the installation of malware or other malicious software. While the risk score is relatively low (21), the potential impact of a successful attack necessitates monitoring for this behavior. Post-privilege escalation, attackers can establish persistence, install software, create new user accounts, or perform lateral movement within the network.

Recommendation

• Configure Jamf Protect to forward macOS endpoint events to the Elastic platform to enable the detections in this brief.
• Deploy the Sigma rule macOS User Added to Admin Group via dscl to detect potential privilege escalation attempts.
• Investigate any alerts generated by this rule by reviewing the actions taken by the affected user immediately after being added to the admin group, looking for persistence mechanisms or unauthorized software installs.
• Use the provided investigation queries in the rule’s metadata to find related events from the host or parent process.