Hacker News new | ask | show | jobs
by abritishguy 3119 days ago
If you have `osquery` deployed to your fleet you can detect compromise with this query:

SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;
1 comments
sounds 3119 days ago
That only detects enabled root users, which is a start but may include innocent people who have set a root password to protect their machines.
link