Account or Group Discovery via Built-In Tools

process where event.type== "start" and event.action == "exec" and
  ( (process.name: ("groups","id"))
    or (process.name : "dscl" and process.args : ("/Active Directory/*", "/Users*", "/Groups*"))
    or (process.name: "dscacheutil" and process.args:("user", "group"))
    or process.args:("/etc/passwd", "/etc/master.passwd", "/etc/sudoers")
    or (process.name: "getent" and process.args:("passwd", "group"))
  )