AN1237: Analytic 1237
Account creation using 'dscl -create' or via GUI tools. Detection involves command execution and file changes to the local directory services database.
Analyst context for executives and security teams
This analytic is about spotting new local account creation on macOS, either through the `dscl -create` command or GUI account-management tools. For leaders, the value is not the command itself; it is confirming whether the organization can reliably see unexpected local identity changes on Macs, because local accounts can affect endpoint control, incident containment, auditability, and recovery confidence.
Executive priority
Prioritize this as an endpoint identity and audit-control validation item for macOS environments. Security leaders should ask whether SOC and IR teams can prove when a local macOS account was created, by whom or by what process, and whether the event is distinguishable from approved IT administration. This supports incident decision-making, compliance evidence around account lifecycle controls, and resilience planning for managed macOS fleets.
Technical view
Validate coverage for macOS local account creation using command execution evidence for `dscl -create` and file-change evidence associated with the local directory services database. Because ATT&CK does not provide a formal detection block or relationship context for this analytic, teams should treat it as a detection engineering requirement rather than a complete rule: define approved account-provisioning paths, compare command-line and GUI-driven creation paths, and confirm that endpoint telemetry captures both process activity and relevant local account database modifications.
Likely telemetry
- macOS process execution telemetry, especially invocations of `dscl` with `-create` arguments
- Command-line arguments and parent process context for account-management activity
- Endpoint file-change telemetry for the local directory services database
- macOS administrative or account-management audit events where available
- EDR or endpoint management records showing approved GUI-based account creation activity
Detection direction
- Test both command-line and GUI account creation paths; the official description explicitly references `dscl -create` and GUI tools.
- Tune against known IT administration workflows to reduce false positives from help desk, device enrollment, or endpoint management activity.
- Correlate process execution with local directory services database changes to improve confidence, especially where GUI tooling may not expose a simple command-line pattern.
- Review blind spots on unmanaged or lightly monitored macOS systems where command-line logging, file-change monitoring, or EDR collection may be incomplete.
- Because no ATT&CK relationships or tactics are supplied, avoid over-mapping this analytic to a specific adversary objective without local incident context.
Mitigation priorities
- Establish an approved macOS local account creation process and document expected tools, administrators, and change windows.
- Restrict local administrative privileges and review who can create local accounts on managed Macs.
- Ensure endpoint monitoring captures both process execution and relevant file-change activity on macOS systems.
- Periodically audit local accounts against authorized inventory or identity governance records.
- Use incident response playbooks to triage unexpected local account creation, including validating business justification and recent administrative activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS account creation. Its practical value is strongest when used to validate endpoint identity telemetry and administrative process control, not as a standalone indication of malicious activity. Local baselining is essential because legitimate IT operations may create accounts through both command-line and GUI methods.
The official detection field is not provided, tactics are not specified, and no relationships were supplied. This take is therefore limited to the official description, platform, external reference, and object metadata. Environment-specific account policies, logging configuration, and endpoint tooling are required to determine actual detection coverage.
Analytic 1237
Account creation using 'dscl -create' or via GUI tools. Detection involves command execution and file changes to the local directory services database.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0cac090ad3ef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1237Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.