sysadminctl

Created by Hare Sudhan (@cyb3rbuff)

Description

sysadminctl can administer system user accounts. sysadminctl can be used to change user passwords, create new users (including automatically provisioning the user home folder) or to check the status of a user’s SecureToken.

Created	Tactics	Tags
2024-11-19	Initial Access Persistence Impact Exfiltration	users password

Paths

/usr/sbin/sysadminctl

Use Cases

Enable Guest Account

sysadminctl can be used to enable the guest account

sudo sysadminctl -guestAccount on

Create Local User Account

sysadminctl can be used to create a local user account

sudo sysadminctl -addUser randomUser -password "randomPassword"

Create a Local Admin Account

sysadminctl can be used to create a local admin account

sudo sysadminctl -addUser randomUser -password "randomPassword" -admin

Reset user password

sysadminctl can be used to reset password for a particular user account

sudo sysadminctl -resetPasswordFor randomUser -newPassword "randomPassword"

Delete a local account

sysadminctl can delete the specified user account

sudo sysadminctl -deleteUser randomUser

Enable SMB Guest Access

sysadminctl can enable SMB Guest Access

sudo sysadminctl -smbGuestAccess on

Enable AFP Guest Access

sysadminctl can enable AFP Guest Access

sudo sysadminctl -afpGuestAccess on

Detections

Resources

sysadminctl man page

sysadminctl #

Description ##

Paths ##

Use Cases ##

Enable Guest Account ##

Create Local User Account ##

Create a Local Admin Account ##

Reset user password ##

Delete a local account ##

Enable SMB Guest Access ##

Enable AFP Guest Access ##

Detections ##

Resources ##