Enumeration of Users or Groups via Built-in Commands

Last updated 5 months ago on 2025-03-18

Created 5 years ago on 2021-01-12

About

Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.

Tags

Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: DiscoveryData Source: Elastic DefendLanguage: eql

Severity

low

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ Permission Groups Discovery (T1069)(opens in a new tab or window)

↳ Account Discovery (T1087)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "macos" and event.type in ("start", "process_started") and
  (
    process.name in ("ldapsearch", "dsmemberutil") or
    (process.name == "dscl" and
      process.args in ("read", "-read", "list", "-list", "ls", "search", "-search") and
      process.args like ("/Active Directory/*", "/Users*", "/Groups*"))
	) and
  ((process.Ext.effective_parent.executable like "/Volumes/*" or process.parent.executable like "/Volumes/*") or
   (process.Ext.effective_parent.name : ".*" or process.parent.name : ".*") or
   (process.parent.code_signature.trusted == false or process.parent.code_signature.exists == false))

Install detection rules in Elastic Security

Detect Enumeration of Users or Groups via Built-in Commands in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).