59e5aaf4
commented
15 hours ago It's been 3 weeks and as it turns out, an entire department chose to use your tool to unregister macOS devices. Our EDR keeps alerting on the specific deletion of ShadowHashData ( it would do so on a few other fields if it didn't instakill the process ).
I don't mind that, we can tune this out and ignore such alerts, but a side effect of using cleartext passwords as command line parameters is that they're leaked all over the place in our EDR telemetry logs and in our SIRP alerts; and I'm allergic to seeing cleartext credentials :D
Sample detection details :
ParentCmdLine: Downloads/Mobile to Local.app/Contents/Resources/scripts/mobileToLocal.sh USERNAME PASSWORDAHHAHA 0 true false keeplist
File Name: echo
Cmd Line: /bin/echo (timestamp) WORKSTATION USERNAME[migrate]: deleting attribute: dsAttrTypeNative:ShadowHashData
Detect Desc.: A user's password hash was dumped
Pattern Desc.: Prevention, process was blocked from execution.Please (eventually) publish a new version with the passwords securely handled :D
Hey peeps, passing passwords in parameter is a no-no. Don't do that. - https://cwe.mitre.org/data/definitions/214.html
Also, touching
dsAttrTypeNative:ShadowHashDatawill get EDRs to kill your script. I didn't really get what you script does based on the documentation. It unregisters a macOS computer from a Windows Active Directory environment, deletes the AD user account from the workstation, creates a similarly-named local user account, and re-maps any ownership from the previous AD account to the local account ?Please enhance your documentation so that whomever lands on your script because a user of their company tried to stealthily unregister their workstation from the AD :D. Also, thanks for properly commenting your script, it has tons of useful command lines & comments.
Best regards !