Detection of domain group enumeration through command-line utilities such as 'net group /domain' or PowerShell cmdlets, followed by suspicious access to API calls or LSASS memory.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| TimeWindow | Adjustable window to track chained discovery activity (e.g., 5-10 minutes). |
| UserContext | Tune to focus on non-admin users or service accounts performing enumeration. |
| ProcessLineageDepth | How far back the parent-child process chain is correlated. |
Behavioral detection of domain group enumeration via ldapsearch or custom scripts leveraging LDAP over the network.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Command Execution (DC0064) | linux:syslog | sshd logs |
| Network Traffic Content (DC0085) | NSM:Flow | ldap.log |
| Field | Description |
|---|---|
| LDAPQueryDepth | Tunable based on number of LDAP queries before flagging suspicious behavior. |
| CommandPattern | Pattern matching against common ldapsearch or shell enumeration flags. |
Enumeration of domain groups using dscacheutil or dscl commands, often following initial login or domain trust queries.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process events |
| Field | Description |
|---|---|
| CommandSignatureThreshold | Defines how strictly command patterns must match known enumeration syntax. |
| TimeWindow | Adjustable window to correlate chained behavior such as group enumeration followed by user targeting. |