Users
Overview
Section titled “Overview”Evidence: Users
Description: Collect Users
Category: System
Platform: macos
Short Name: users
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”User account information provides details about local accounts on macOS, including group memberships and account properties. This data is essential for understanding system access and detecting unauthorized accounts.
Data Collected
Section titled “Data Collected”This collector gathers structured data about users.
Users Data
Section titled “Users Data”| Field | Description | Example |
|---|---|---|
UserId | User Id | 123 |
Name | Name | Example value |
GroupId | Group Id | 123 |
GroupName | Group Name | Example value |
Description | Description | Example value |
Directory | Directory | Example value |
Shell | Shell | Example value |
Collection Method
Section titled “Collection Method”This collector queries osquery’s users joined with groups and records results into the users table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it helps identify suspicious or unauthorized accounts, detect privilege escalation, and audit user management for policy compliance.