dscl #

Created by Jonathan Bar Or (@yo_yo_yo_jbo)

Description ##

An extensive tool for communicating with the Directory Services, useful for Discovery.

Paths ##

• /usr/bin/dscl

Use Cases ##

Local user enumeration ##

Enumerate all local users.

dscl . -list /Users
dscl . list /Users
dscl . ls /Users

Active Directory user enumeration ##

Enumerate all Active Directory users.

dscl "/Active Directory/TEST/All Domains" -list /Users
dscl "/Active Directory/TEST/All Domains" list /Users
dscl "/Active Directory/TEST/All Domains" ls /Users

Local user information gathering ##

Gain useful local user information such as when their password was last set, their keyboard layout, their avatar, their home directory, UID and default shell.

dscl . -read /Users/$USERNAME
dscl . read /Users/$USERNAME
dscl . cat /Users/$USERNAME

Active Directory user information gathering ##

Gain useful Active Directory user information such as when their password was last set, their keyboard layout, their avatar, their home directory, UID and default shell.

dscl "/Active Directory/TEST/All Domains" -read /Users/$USERNAME
dscl "/Active Directory/TEST/All Domains" read /Users/$USERNAME
dscl "/Active Directory/TEST/All Domains" cat /Users/$USERNAME

Local group enumeration ##

Enumerate all local groups.

dscl . -list /Groups
dscl . list /Groups
dscl . ls /Groups

Active Directory group enumeration ##

Enumerate all Active Directory groups.

dscl "/Active Directory/TEST/All Domains" -list /Groups
dscl "/Active Directory/TEST/All Domains" list /Groups
dscl "/Active Directory/TEST/All Domains" ls /Groups

Local group information gathering ##

Gain useful local group information such as which users belong to that group, SMB SIDs and group ID. Especially useful for the “admin” group.

dscl . -read /Groups/$GROUPNAME
dscl . read /Groups/$GROUPNAME
dscl . cat /Groups/$GROUPNAME

Active Directory group information gathering ##

Gain useful Active Directory group information such as which users belong to that group, SMB SIDs and group ID. Especially useful for the “admin” group.

dscl "/Active Directory/TEST/All Domains" -read /Groups/$GROUPNAME
dscl "/Active Directory/TEST/All Domains" read /Groups/$GROUPNAME
dscl "/Active Directory/TEST/All Domains" cat /Groups/$GROUPNAME

Computer enumration ##

Enumerate all computers in an Active Directory.

dscl  "/Active Directory/TEST/All Domains" -list /Computers
dscl  "/Active Directory/TEST/All Domains" list /Computers
dscl  "/Active Directory/TEST/All Domains" ls /Computers

Share enumration ##

Enumerate all shares.

dscl . -list /SharePoints
dscl . list /SharePoints
dscl . ls /SharePoints

Password policy discovery ##

Gain password policy information

dscl . -read /Config/shadowhash
dscl . read /Config/shadowhash
dscl . cat /Config/shadowhash

Change a user password ##

Change an existing user’s password.

dscl . passwd /Users/$USERNAME oldPassword newPassword

Local account creation ##

Create a local account

dscl -create

Detections ##

• Jamf Protect: Detect user account creation with dscl

Resources ##

• MacOS Red Teaming - HackTricks

• MITRE ATT&CK T1136.001 Create Account: Local Account