IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Enumeration of Kernel Modules Executable File Creation with Multiple Extensions »

› › ›

Enumeration of Users or Groups via Built-in Commands

edit

Enumeration of Users or Groups via Built-in Commands

edit

Identifies the execution of macOS built-in commands related to account or group enumeration.

Rule type: eql

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
macOS
Threat Detection
Discovery

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit

process where event.type in ("start", "process_started") and not
process.parent.executable :
("/Applications/NoMAD.app/Contents/MacOS/NoMAD",
"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence") and
process.name : ("ldapsearch", "dsmemberutil") or (process.name :
"dscl" and process.args : ("read", "-read", "list", "-list",
"ls", "search", "-search") and process.args : ("/Active
Directory/*", "/Users*", "/Groups*"))

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Permission Groups Discovery
- ID: T1069
- Reference URL: https://attack.mitre.org/techniques/T1069/

« Enumeration of Kernel Modules Executable File Creation with Multiple Extensions »