Adversary enumeration of domain accounts using net.exe, PowerShell, WMI, or LDAP queries from non-domain controllers or non-admin endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Network Traffic Content (DC0085) | NSM:Flow | LDAP Bind/Search |
| Field | Description |
|---|---|
| CommandLinePattern | Detect variations of 'net user /domain', 'Get-ADUser', 'Get-ADGroupMember'. |
| TimeWindow | Tune detection for bursts of enumeration commands or search queries. |
| SourceHost | Restrict detection to non-DC or non-admin systems where such commands are unexpected. |
Domain account enumeration using ldapsearch, samba tools (e.g., 'wbinfo -u'), or winbindd lookups.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Command Execution (DC0064) | linuxsyslog | nslcd or winbind logs |
| Network Traffic Content (DC0085) | NSM:Flow | LDAP Query |
| Field | Description |
|---|---|
| ProcessName | Detect suspicious use of ldapsearch, wbinfo, getent passwd, or samba enumeration tools. |
| LDAPSearchFilter | Tune for high-volume or broad-scope LDAP queries. |
| UserContext | Apply filters for unexpected users or service accounts executing the behavior. |
Domain group and user enumeration via dscl or dscacheutil, or queries to directory services from non-admin endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Process Execution |
| Command Execution (DC0064) | macos:unifiedlog | DS daemon log entries |
| Field | Description |
|---|---|
| CommandPattern | Match patterns such as 'dscl /Active\ Directory/All\ Domains -list /Users'. |
| EndpointRole | Flag this activity only on non-directory hosts or non-admin accounts. |