This artifact collects information about the local users on the system. The information is stored in plist files.
name: MacOS.System.Users
description: |
This artifact collects information about the local users on the
system. The information is stored in plist files.
parameters:
- name: UserPlistGlob
default: /private/var/db/dslocal/nodes/Default/users/*.plist
- name: OnlyShowRealUsers
type: bool
default: Y
sources:
- query: |
LET user_plist = SELECT OSPath FROM glob(globs=UserPlistGlob)
LET UserDetails(OSPath) =
SELECT get(member="name.0", default="") AS Name,
get(member="realname.0", default="") AS RealName,
get(member="shell.0", default="") AS UserShell,
get(member="home.0", default="") AS HomeDir,
if(condition=LinkedIdentity,
then=plist(file=LinkedIdentity[0],
accessor='data')) as AppleId,
if(condition=accountPolicyData,
then=plist(file=accountPolicyData[0],
accessor='data')) AS AccountPolicyData
FROM plist(file=OSPath)
SELECT Name, RealName, UserShell, HomeDir,
get(item=AppleId, field="appleid.apple.com") AS AppleId,
timestamp(epoch=AccountPolicyData.creationTime) AS CreationTime,
AccountPolicyData.failedLoginCount AS FailedLoginCount,
timestamp(epoch=AccountPolicyData.failedLoginTimestamp) AS FailedLoginTimestamp,
timestamp(epoch=AccountPolicyData.passwordLastSetTime) AS PasswordLastSetTime
FROM foreach(row=user_plist, query={
SELECT * FROM UserDetails(OSPath= OSPath)
})
WHERE NOT OnlyShowRealUsers OR NOT UserShell =~ 'false'