1. Home
  2. Detection Strategies
  3. Behavioral Detection of User Discovery via Local and Remote Enumeration

Behavioral Detection of User Discovery via Local and Remote Enumeration

Technique Detected:  System Owner/User Discovery | T1033

ID: DET0093
Domains: Enterprise
Analytics: AN0254, AN0255, AN0256, AN0257
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0254

Adversary launches built-in system tools (e.g., whoami, query user, net user) or scripts that enumerate user account information via local execution or remote API queries (e.g., WMI, PowerShell).

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4104
Mutable Elements
Field Description
ParentProcessContext Identify if enumeration originates from non-interactive shell or system service
TimeWindow Tune temporal grouping of enumeration + lateral movement attempts
UserContext Flag unexpected users issuing enumeration commands (e.g., service accounts)

AN0255

Adversary runs commands like whoami, id, w, or cat /etc/passwd from non-interactive or scripting contexts to enumerate system user details.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
CommandLineRegex Tune detection based on argument presence (e.g., `cat /etc/passwd` vs. `cat` alone)
ShellContext Identify if command issued via cron, systemd, or reverse shell
AccessFrequency Define how often user/account commands are expected on endpoint

AN0256

Adversary uses dscl, who, or environment variables like $USER to identify accounts or sessions via Terminal or malicious LaunchAgents.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog subsystem:com.apple.Terminal
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
Mutable Elements
Field Description
LaunchAgentPersistence Correlate dscl usage with known persistence vectors
CommandExecutionPath Distinguish between user-initiated terminal vs. script execution
UsernameEnumerationPattern Regex-based pattern tuning for `dscl . -list /Users` + grep filters

AN0257

Adversary executes CLI commands like show users, show ssh, or attempts to dump AAA user lists from routers or switches.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) networkdevice:syslog aaa privilege_exec
Command Execution (DC0064) networkdevice:syslog eventlog
Mutable Elements
Field Description
CLICommandBaseline Expected command set per device role/user role combination
DeviceRoleSensitivity Correlate access with core vs. edge vs. management plane sensitivity
CommandFrequencyThreshold Detect burst usage of `show` or `debug` commands by non-admin users