Detects attempts to enumerate local groups via Net.exe, PowerShell, or native API calls that precede lateral movement or privilege abuse.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Field | Description |
|---|---|
| TimeWindow | Time window between group enumeration and lateral movement or privilege escalation activity. |
| UserContext | Whether the process was executed by a privileged or low-privilege account. |
Detects enumeration of local groups using common binaries (groups, getent, cat /etc/group) or scripting with suspicious lineage.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| ProcessName | Detection tuning for binaries like `groups`, `getent`, `awk`, or `cut` that may be used in pipelines. |
| ParentProcess | Used to determine whether enumeration was triggered by a script or terminal. |
Detects use of dscl or id/group commands to enumerate local system groups, often by post-exploitation tools or persistence checks.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process:exec |
| Field | Description |
|---|---|
| CommandLineContains | Match on specific dscl paths like '/Groups' or known enumeration options. |
| InteractiveSession | Used to scope out enumeration from user terminals versus background utilities. |