top | item 15801796

(no title)

If you have `osquery` deployed to your fleet you can detect compromise with this query:

SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;

discuss

sounds|8 years ago

That only detects enabled root users, which is a start but may include innocent people who have set a root password to protect their machines.