Adversary enumeration of local user accounts using Net.exe, WMI, or PowerShell.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| CommandLinePattern | Detects variations of 'net user', 'net localgroup', 'Get-LocalUser'. |
| UserContext | Restrict monitoring to low-privileged or unexpected users executing enumeration. |
| TimeWindow | Tune for bursts of enumeration commands in short succession. |
Enumeration of local users or groups via file access (/etc/passwd) or commands like id, groups.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:PATH | path |
| Process Creation (DC0032) | linux:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| AccessedFile | Monitors sensitive file access such as '/etc/passwd', '/etc/group'. |
| ExecutionScope | Restrict detection to user-initiated sessions or specific parent processes. |
Enumeration of macOS local users using dscl, id, dscacheutil, or /etc/passwd access.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | None |
| Field | Description |
|---|---|
| CommandLine | Monitor dscl . list /Users, dscacheutil -q user, id -un. |
| InteractiveSession | Focus on enumeration from non-console users or untrusted apps. |
Enumeration of local ESXi accounts using esxcli or vSphere API from unauthorized sessions.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | vpxd.log | vCenter Management |
| Process Creation (DC0032) | esxi:shell | Shell Execution |
| Field | Description |
|---|---|
| CommandPattern | Look for 'esxcli system account list' and API calls from unusual sources. |
| SessionType | Restrict detection to interactive sessions vs. maintenance/automation jobs. |