{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:22:39 2026 UTC","unixTime":1771345359,"epoch":0,"counter":488,"numerics":false,"columns":{"cdhash":"d74f0ac5c7c8ca05f7d23c388525233948b0cd31","child_pid":"","cmdline":"createhomedir -c -u snapattack ","cmdline_count":"4","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=root SUDO_UID=0 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 \"SUDO_COMMAND=/bin/bash -c sysadminctl -addUser snapattack -password TempPass123! -admin && createhomedir -c -u snapattack && dseditgroup -o edit -a snapattack -t user admin\" COLORFGBG=15;0 HOME=/var/root LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=0 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/sbin/createhomedir ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"14364","original_parent":"42808","parent":"42808","parent_pidversion":"112425","path":"/usr/sbin/createhomedir","pid":"42822","pidversion":"112458","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"6037","session_id":"38273","signing_id":"com.apple.createhomedir","team_id":"","time":"1771345346","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:22:25 2026 UTC","unixTime":1771345345,"epoch":0,"counter":487,"numerics":false,"columns":{"cdhash":"2d8c889c4e6c3ec43901527969e07a6253508e1c","child_pid":"","cmdline":"sysadminctl -addUser snapattack -password TempPass123! -admin ","cmdline_count":"6","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=root SUDO_UID=0 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 \"SUDO_COMMAND=/bin/bash -c sysadminctl -addUser snapattack -password TempPass123! -admin && createhomedir -c -u snapattack && dseditgroup -o edit -a snapattack -t user admin\" COLORFGBG=15;0 HOME=/var/root LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=0 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/sbin/sysadminctl ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"14323","original_parent":"42808","parent":"42808","parent_pidversion":"112425","path":"/usr/sbin/sysadminctl","pid":"42809","pidversion":"112427","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"6019","session_id":"38273","signing_id":"com.apple.sysadminctl","team_id":"","time":"1771345343","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:22:25 2026 UTC","unixTime":1771345345,"epoch":0,"counter":487,"numerics":false,"columns":{"cdhash":"323169bddf474bedd39064f691c234e0cb0655ee","child_pid":"","cmdline":"bash -c \"sysadminctl -addUser snapattack -password TempPass123! -admin && createhomedir -c -u snapattack && dseditgroup -o edit -a snapattack -t user admin\" ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities LANG=en_US.UTF-8 HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LC_TERMINAL=iTerm2 COLORTERM=truecolor LOGNAME=root USER=root SHELL=/bin/sh \"SUDO_COMMAND=/bin/bash -c sysadminctl -addUser snapattack -password TempPass123! -admin && createhomedir -c -u snapattack && dseditgroup -o edit -a snapattack -t user admin\" SUDO_USER=root SUDO_UID=0 SUDO_GID=0 ","env_count":"18","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"14321","original_parent":"42807","parent":"42807","parent_pidversion":"112423","path":"/bin/bash","pid":"42808","pidversion":"112425","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"6018","session_id":"38273","signing_id":"com.apple.bash","team_id":"","time":"1771345343","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:22:25 2026 UTC","unixTime":1771345345,"epoch":0,"counter":487,"numerics":false,"columns":{"cdhash":"a1b9c4ceb3bf3dbe1c56c26146dc4ac8d930d1c9","child_pid":"","cmdline":"sudo bash -c \"sysadminctl -addUser snapattack -password TempPass123! -admin && createhomedir -c -u snapattack && dseditgroup -o edit -a snapattack -t user admin\" ","cmdline_count":"4","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/sudo OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"14319","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/sudo","pid":"42807","pidversion":"112423","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"6017","session_id":"38273","signing_id":"com.apple.sudo","team_id":"","time":"1771345343","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 14:37:43 2026 UTC","unixTime":1770993463,"epoch":0,"counter":144,"numerics":false,"columns":{"cdhash":"80cecbdb035be92d2829e3210b12f871bf4ade1d","child_pid":"","cmdline":"dseditgroup -o edit -a snapattack -t user admin ","cmdline_count":"8","codesigning_flags":"","cwd":"/Users/snap","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=root SUDO_UID=0 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root PWD=/Users/snap LANG=en_US.UTF-8 SHLVL=1 \"SUDO_COMMAND=/bin/bash -c sysadminctl -addUser snapattack -password TempPass123! -admin && createhomedir -c -u snapattack && dseditgroup -o edit -a snapattack -t user admin\" COLORFGBG=15;0 HOME=/var/root LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=0 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/sbin/dseditgroup ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"4746","original_parent":"40083","parent":"40083","parent_pidversion":"105519","path":"/usr/sbin/dseditgroup","pid":"40100","pidversion":"105559","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1860","session_id":"38273","signing_id":"com.apple.dseditgroup","team_id":"","time":"1770993461","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 14:37:43 2026 UTC","unixTime":1770993463,"epoch":0,"counter":144,"numerics":false,"columns":{"cdhash":"d74f0ac5c7c8ca05f7d23c388525233948b0cd31","child_pid":"","cmdline":"createhomedir -c -u snapattack ","cmdline_count":"4","codesigning_flags":"","cwd":"/Users/snap","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=root SUDO_UID=0 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root PWD=/Users/snap LANG=en_US.UTF-8 SHLVL=1 \"SUDO_COMMAND=/bin/bash -c sysadminctl -addUser snapattack -password TempPass123! -admin && createhomedir -c -u snapattack && dseditgroup -o edit -a snapattack -t user admin\" COLORFGBG=15;0 HOME=/var/root LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=0 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/sbin/createhomedir ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"4742","original_parent":"40083","parent":"40083","parent_pidversion":"105519","path":"/usr/sbin/createhomedir","pid":"40099","pidversion":"105557","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1859","session_id":"38273","signing_id":"com.apple.createhomedir","team_id":"","time":"1770993461","uid":"0","username":"root","version":"8"},"action":"added"}