From d02580979312e404a5feb2fe4f4801a397fa4077 Mon Sep 17 00:00:00 2001
From: Hare Sudhan <code@0x6c.dev>
Date: Tue, 19 Nov 2024 23:43:56 -0500
Subject: [PATCH 1/2] add sysadminctl

update
---
 LOOBins/sysadminctl.yml | 59 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 LOOBins/sysadminctl.yml

diff --git a/LOOBins/sysadminctl.yml b/LOOBins/sysadminctl.yml
new file mode 100644
index 0000000..5106c7c
--- /dev/null
+++ b/LOOBins/sysadminctl.yml
@@ -0,0 +1,59 @@
+name: sysadminctl
+author: Hare Sudhan (@cyb3rbuff)
+short_description: Create/delete local accounts, guest account, enable SMB/AFP Guest access.
+full_description: |
+  sysadminctl can administer system user accounts. sysadminctl can be used to change user passwords, create new 
+  users (including automatically provisioning the user home folder) or to check the status of a user's SecureToken.
+created: 2024-11-19
+example_use_cases:
+  - name: Enable Guest Account
+    description: sysadminctl can be used to enable the guest account
+    code: |
+      sudo sysadminctl -guestAccount on
+    tactics:
+      - Initial Access
+  - name: Create Local User Account
+    description: sysadminctl can be used to create a local user account
+    code: |
+      sudo sysadminctl -addUser randomUser -password "randomPassword"
+    tactics:
+      - Persistence
+    tags:
+      - users
+  - name: Create a Local Admin Account
+    description: sysadminctl can be used to create a local admin account
+    code: |
+      sudo sysadminctl -addUser randomUser -password "randomPassword" -admin
+    tactics:
+      - Persistence
+    tags:
+      - users
+  - name: Reset user password
+    description: sysadminctl can be used to reset password for a particular user account
+    code: |
+      sudo sysadminctl -resetPasswordFor randomUser -newPassword "randomPassword"
+    tactics:
+      - Persistence
+    tags:
+      - password
+      - users
+  - name: Delete a local account
+    description: sysadminctl can delete the specified user account
+    code: |
+      sudo sysadminctl -deleteUser randomUser
+    tactics:
+      - Impact
+    tags:
+      - users
+paths:
+  - /usr/sbin/sysadminctl
+detections:
+  - name: "Sigma: Creation Of A Local User Account"
+    url: https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_create_account.yml
+  - name: "Sigma: User Added To Admin Group Via Sysadminctl"
+    url: https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml
+  - name: "Sigma: Guest Account Enabled Via Sysadminctl"
+    url: https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml
+resources:
+  - name: "sysadminctl man page"
+    url: https://ss64.com/mac/sysadminctl.html

From 75ff3dd03632b743f3a3296d862599586a605cdb Mon Sep 17 00:00:00 2001
From: Hare Sudhan <code@0x6c.dev>
Date: Tue, 19 Nov 2024 23:47:46 -0500
Subject: [PATCH 2/2] enable AFP/SMB

---
 LOOBins/sysadminctl.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/LOOBins/sysadminctl.yml b/LOOBins/sysadminctl.yml
index 5106c7c..c648b6e 100644
--- a/LOOBins/sysadminctl.yml
+++ b/LOOBins/sysadminctl.yml
@@ -45,6 +45,18 @@ example_use_cases:
       - Impact
     tags:
       - users
+  - name: Enable SMB Guest Access
+    description: sysadminctl can enable SMB Guest Access
+    code: |
+      sudo sysadminctl -smbGuestAccess on
+    tactics:
+      - Exfiltration
+  - name: Enable AFP Guest Access
+    description: sysadminctl can enable AFP Guest Access
+    code: |
+      sudo sysadminctl -afpGuestAccess on
+    tactics:
+      - Exfiltration
 paths:
   - /usr/sbin/sysadminctl
 detections: