Detection of processes performing local or domain account enumeration by invoking account directory queries or security APIs followed by structured output of account lists. The defender observes command execution or API invocation patterns that retrieve account information and produce enumeration artifacts shortly afterward.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| WinEventLog:Security | EventCode=4688 | |
| Group Enumeration (DC0099) | WinEventLog:Security | EventCode=4798, 4799 |
| Field | Description |
|---|---|
| CommandLinePattern | Match variations in enumeration commands like 'net user', 'Get-ADUser', 'dsquery'. |
| TimeWindow | Short burst of account enumeration commands may indicate automation. |
| UserContext | Restrict to non-admin accounts or unexpected users executing enumeration commands. |
Enumeration of users and groups through suspicious shell commands or unauthorized access to /etc/passwd or /etc/shadow.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | PATH |
| Process Creation (DC0032) | linux:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| AccessedFile | Tune based on file paths such as '/etc/passwd', '/etc/group', '/etc/shadow'. |
| ParentProcessName | Filter known admin processes to reduce false positives. |
Detection of account enumeration through directory service queries or system utilities accessing account metadata stores, followed by structured enumeration output.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process event |
| User Account Metadata (DC0013) | macos:unifiedlog | DirectoryService queries retrieving account information |
| Field | Description |
|---|---|
| CommandLine | Tune for dscl -list, dscacheutil -q user, id -un, etc. |
| ExecutionContext | Alert if enumeration is performed in non-console session or by unusual users. |
Detection of enumeration of identity entities through cloud provider APIs where principals retrieve account metadata such as IAM users or roles in rapid succession.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | AWS:CloudTrail | DescribeUsers / ListUsers / GetUser |
| Field | Description |
|---|---|
| API_Method | Tune based on which IAM APIs are used and their frequency. |
| CallerType | Differentiate user-initiated from automated/scripted enumeration. |
Detection of identity directory enumeration through API calls or administrative queries retrieving multiple account objects within a short interval.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | azure:signinlogs | Graph API Query |
| User Account Metadata (DC0013) | saas:okta | User Enumeration Events |
| Field | Description |
|---|---|
| QueryType | Detect user vs role enumeration. Tune based on query scope. |
| AppContext | Correlate enumeration with unexpected app registrations or identities. |
Detection of enumeration activity when system processes query ESXi host account configuration or management APIs to retrieve user account listings.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:vpxd | vCenter Management |
| Field | Description |
|---|---|
| CommandPattern | Tune based on known enumeration commands: 'vim-cmd vimsvc/auth/userlist'. |
| PrivilegedSession | Elevated enumeration from vpxuser or root may indicate threat activity. |
Account enumeration via bulk access to user directory features or hidden APIs.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | gcp:audit | Directory API Access |
| Field | Description |
|---|---|
| EndpointURL | Tune based on enumeration from directory endpoints such as /users, /groups. |
| UserAgent | Detect scripted enumeration via curl/wget or unknown tools. |
Account discovery via VBA macros, COM objects, or embedded scripting.
| Data Component | Name | Channel |
|---|---|---|
| Script Execution (DC0029) | m365:unified | Scripted Activity |
| Field | Description |
|---|---|
| MacroName | Alert on auto-running macros accessing directory or user info. |
| ExecutionScope | Focus on macros invoking LDAP, ADODB, or WMI queries. |