Dumping Account Hashes via Built-In Commands

Last updated 5 months ago on 2025-03-18

Created 5 years ago on 2021-01-25

About

Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.

Tags

Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: Credential AccessData Source: Elastic DefendLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ OS Credential Dumping (T1003)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "macos" and event.type in ("start", "process_started") and
 process.name in ("defaults", "mkpassdb") and process.args like~ ("ShadowHashData", "-dump")

Install detection rules in Elastic Security

Detect Dumping Account Hashes via Built-In Commands in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).