IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Enumeration of Privileged Local Groups Membership Executable File Creation with Multiple Extensions »
Elastic Docs Elastic Security Solution [8.5] Detections and alerts Prebuilt rule reference

Enumeration of Users or Groups via Built-in Commands

edit

Enumeration of Users or Groups via Built-in Commands

edit

Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Discovery

Version: 100 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit











Rule query
edit








process where event.type in ("start", "process_started") and (
process.name : ("ldapsearch", "dsmemberutil") or (process.name :
"dscl" and process.args : ("read", "-read", "list", "-list",
"ls", "search", "-search") and process.args : ("/Active
Directory/*", "/Users*", "/Groups*")) ) and not
process.parent.executable :
("/Applications/NoMAD.app/Contents/MacOS/NoMAD",
"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence",
"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree",
"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.
app/Contents/MacOS/JamfDaemon", "/Applications/Jamf
Connect.app/Contents/MacOS/Jamf Connect",
"/usr/local/jamf/bin/jamf", "/Library/Application
Support/AirWatch/hubd", "/opt/jc/bin/jumpcloud-agent",
"/Applications/ESET Endpoint
Antivirus.app/Contents/MacOS/esets_daemon", "/Applications/ESET
Endpoint Security.app/Contents/MacOS/esets_daemon", "/Library/Pri
vilegedHelperTools/com.fortinet.forticlient.uninstall_helper" )











Threat mapping
edit




Framework: MITRE ATT&CKTM














Rule version history
edit










Version 100 (8.5.0 release)








    

  • 
Formatting only

    • 









Version 5 (8.4.0 release)








    

  • 

    Updated query, changed from:
    

    

    

    process where event.type in ("start", "process_started") and not
process.parent.executable :
("/Applications/NoMAD.app/Contents/MacOS/NoMAD",
"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence",
"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree",
"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.
app/Contents/MacOS/JamfDaemon", "/Applications/Jamf
Connect.app/Contents/MacOS/Jamf Connect",
"/usr/local/jamf/bin/jamf" ) and process.name : ("ldapsearch",
"dsmemberutil") or (process.name : "dscl" and process.args :
("read", "-read", "list", "-list", "ls", "search", "-search") and
process.args : ("/Active Directory/*", "/Users*", "/Groups*"))
    

    

    • 









Version 3 (8.2.0 release)








    

  • 

    Updated query, changed from:
    

    

    

    process where event.type in ("start", "process_started") and not
process.parent.executable :
("/Applications/NoMAD.app/Contents/MacOS/NoMAD",
"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence",
"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree",
"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.
app/Contents/MacOS/JamfDaemon", "/usr/local/jamf/bin/jamf" )
and process.name : ("ldapsearch", "dsmemberutil") or
(process.name : "dscl" and process.args : ("read", "-read",
"list", "-list", "ls", "search", "-search") and process.args :
("/Active Directory/*", "/Users*", "/Groups*"))
    

    

    • 









Version 2 (7.13.0 release)








    

  • 

    Updated query, changed from:
    

    

    

    process where event.type in ("start", "process_started") and not
process.parent.executable :
("/Applications/NoMAD.app/Contents/MacOS/NoMAD",
"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence") and
process.name : ("ldapsearch", "dsmemberutil") or (process.name :
"dscl" and process.args : ("read", "-read", "list", "-list",
"ls", "search", "-search") and process.args : ("/Active
Directory/*", "/Users*", "/Groups*"))
    

    

    • 




















« Enumeration of Privileged Local Groups Membership


Executable File Creation with Multiple Extensions »