From 18412b6a2c3deb218a128781f7879b3e8f173c1f Mon Sep 17 00:00:00 2001
From: "Nick K." <nick_koval@me.com>
Date: Wed, 11 Feb 2026 09:23:10 -0600
Subject: [PATCH] Update hidden_account_created_dscl.yaml

The original analytic only looks for the use of "-create" however the Directory Services Command Line tool (dscl) includes a the create option without the leading '-' that also will create a hidden account. The predicate as written does not trigger if the '-' is omitted from create, but this updated predicate will.
---
 custom_analytic_detections/hidden_account_created_dscl.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/custom_analytic_detections/hidden_account_created_dscl.yaml b/custom_analytic_detections/hidden_account_created_dscl.yaml
index 073c0c8..c859524 100644
--- a/custom_analytic_detections/hidden_account_created_dscl.yaml
+++ b/custom_analytic_detections/hidden_account_created_dscl.yaml
@@ -8,7 +8,7 @@ tags:
 snapshotFiles: []
 filter: $event.type == 1 AND
   ($event.process.path.lastPathComponent == "dscl" AND
-  ((ANY $event.process.args == "IsHidden") AND (ANY $event.process.args == "-create") AND (ANY $event.process.args IN {"true", "1", "yes"})))
+  ((ANY $event.process.args == "IsHidden") AND (ANY $event.process.args IN {"-create", "create"}) AND (ANY $event.process.args IN {"true", "1", "yes"})))
 actions:
   - name: Log
 context: []