Detection of adversary enumeration of domain or local group memberships via native tools such as net.exe, PowerShell, or WMI. This activity may precede lateral movement or privilege escalation.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| CommandLineRegex | Regex filters for matching suspicious group enumeration commands (e.g., 'net group', 'Get-ADGroupMember'). |
| TimeWindow | Time threshold for correlating group discovery with subsequent suspicious activity (e.g., lateral movement). |
| UserContext | Whether the user performing discovery is in a sensitive group or running under unusual context (e.g., non-admin querying Domain Admins). |
Detection of group enumeration using commands like 'id', 'groups', or 'getent group', often followed by privilege escalation or SSH lateral movement.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| CommandLine | Variations of enumeration commands tailored to different Linux distros (e.g., 'getent group', 'cut -d' in /etc/group parsing). |
| TTYSession | TTY context or source terminal (remote shell vs local login) to reduce noise. |
Group membership checks via 'dscl', 'dscacheutil', or 'id', typically executed via terminal or automation scripts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process:launch |
| Field | Description |
|---|---|
| CommandLine | Filters for suspicious execution of 'dscl . -read /Groups', etc. |
| ParentProcess | Flag group enumeration from automation tools (e.g., LaunchAgents or suspicious apps). |