AN1606: Analytic 1606
Adversary creates new users using 'dscl' commands, GUI tools, or by modifying user plist files. Detection includes monitoring dscl invocation and user-related plist changes.
Analyst context for executives and security teams
This analytic is about detecting unauthorized local user creation on macOS. For security leaders, the business issue is not the specific command or tool; it is whether the organization can notice when a new local account appears outside approved identity and endpoint administration processes. Unapproved accounts can complicate incident response, weaken access governance, and create audit gaps if local macOS administration is not monitored.
Executive priority
Prioritize this where macOS endpoints are material to operations, privileged workflows, or regulated evidence requirements. Leaders should ask whether local account creation is governed, logged, reviewed, and tied to approved change processes. The key decision value is confirming that SOC and endpoint teams can distinguish expected IT provisioning from suspicious or unauthorized local user creation.
Technical view
The supplied ATT&CK object is a macOS detection analytic for adversary creation of new users using dscl commands, GUI tools, or modification of user plist files. SOC and detection teams should validate visibility into dscl invocation and changes to user-related plist files. Because no tactic, relationship context, or official detection logic is supplied, detection engineering should treat this as a coverage validation requirement rather than a complete rule specification.
Likely telemetry
- macOS process execution telemetry for dscl invocation
- Endpoint telemetry showing command-line execution where available
- File modification telemetry for user-related plist files
- macOS local account inventory or user creation/change events
- Administrative change records or endpoint management logs to identify approved account provisioning
Detection direction
- Validate that macOS endpoint logging captures dscl execution and enough process context to identify the initiating user, parent process, host, and time.
- Monitor user-related plist file changes and correlate them with expected administrative activity.
- Tune for authorized IT workflows, endpoint management actions, and helpdesk provisioning to reduce false positives.
- Look for local user creation that lacks a corresponding approved change record or identity administration event.
- Account for blind spots where GUI-based user creation or direct plist modification may not produce the same command-line evidence as dscl.
Mitigation priorities
- Establish and enforce approved processes for local macOS account creation and administration.
- Limit who can create or modify local users on macOS systems.
- Maintain periodic inventory of local macOS accounts and reconcile against authorized ownership and business need.
- Ensure endpoint telemetry retention supports incident response review of account creation and plist modification activity.
- Use audit evidence from account reviews and endpoint monitoring to support access governance and compliance readiness.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. It provides a concise behavior description and platform scope but no official detection pseudocode, tactics, mitigations, or relationship context. Local environment baselines are essential because legitimate macOS administration may use the same mechanisms.
The supplied fields only support macOS coverage and the behaviors named in the description: dscl commands, GUI tools, and user-related plist changes. No active exploitation, actor attribution, impact level, specific technique relationship, or guaranteed detection outcome is provided.
Analytic 1606
Adversary creates new users using 'dscl' commands, GUI tools, or by modifying user plist files. Detection includes monitoring dscl invocation and user-related plist changes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9e666ef106d4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1606Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.