Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0336: Analytic 0336

Execution of dscl or sysadminctl commands to disable, delete, or modify users combined with anomalous process ancestry or terminal session launch.

EnterpriseAN0336AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because unexpected macOS account changes can quickly affect business continuity, privileged access, and incident response confidence. The key decision point is whether the organization can reliably see use of built-in macOS administration tools such as dscl or sysadminctl when they disable, delete, or modify users, especially when launched from unusual parent processes or terminal sessions.

Executive priority

Prioritize this as an identity and endpoint visibility validation item for macOS estates. Leaders should ask whether security teams can prove who changed local users, from what host, through what process path, and whether those changes were authorized. This supports incident triage, access governance evidence, and resilience against account disruption or unauthorized local privilege changes.

Technical view

For SOC and IR teams, validate monitoring for dscl and sysadminctl execution on macOS with command-line context, process ancestry, user context, host identity, and terminal-session indicators. Because ATT&CK does not provide a detection implementation for AN0336, teams should treat this as a detection engineering requirement: identify administrative baselines, then alert or investigate when user disablement, deletion, or modification occurs with anomalous ancestry or interactive terminal launch patterns.

Likely telemetry

  • macOS process execution events
  • Command-line arguments for dscl and sysadminctl
  • Parent and grandparent process ancestry
  • Interactive terminal or shell session indicators
  • Local user account change records where available

Detection direction

  • Confirm that macOS endpoint telemetry captures full command line and process ancestry for dscl and sysadminctl.
  • Baseline legitimate administrative workflows to reduce false positives from IT support, device management, and authorized local account maintenance.
  • Prioritize review of commands that disable, delete, or modify users when launched from unusual parents or ad hoc terminal sessions.
  • Correlate endpoint process data with identity or administrative change records where available to determine authorization.
  • Document blind spots where macOS hosts lack command-line logging, process ancestry, or local account-change visibility.

Mitigation priorities

  • Ensure macOS administrative rights are limited to approved users and workflows.
  • Use standard, auditable account-management procedures rather than unmanaged local terminal activity where possible.
  • Retain endpoint telemetry sufficient for incident response reconstruction of local user changes.
  • Review macOS administrative baselines periodically so detection tuning reflects legitimate operational activity.
  • Include this behavior in compliance and access-governance evidence checks for macOS systems.
Analyst notes and limits

AN0336 is a detection analytic for macOS focused on dscl or sysadminctl commands used to disable, delete, or modify users, especially with anomalous process ancestry or terminal session launch. No ATT&CK tactics, relationships, aliases, or official detection logic were supplied, so the strongest use is as a validation prompt for macOS identity and endpoint monitoring.

This take is limited to the supplied ATT&CK fields. It does not establish active exploitation, adversary attribution, impact, or current coverage. Local environment baselines are required to distinguish legitimate administration from suspicious activity.

Official MITRE ATT&CK definition

Analytic 0336

Execution of dscl or sysadminctl commands to disable, delete, or modify users combined with anomalous process ancestry or terminal session launch.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
881c7ede5825da29...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 881c7ede5825…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0336
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use