Detection of suspicious enumeration of local or domain accounts via command-line tools, WMI, or scripts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| CommandLinePattern | Match variations in enumeration commands like 'net user', 'Get-ADUser', 'dsquery'. |
| TimeWindow | Short burst of account enumeration commands may indicate automation. |
| UserContext | Restrict to non-admin accounts or unexpected users executing enumeration commands. |
Enumeration of users and groups through suspicious shell commands or unauthorized access to /etc/passwd or /etc/shadow.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | PATH |
| Process Creation (DC0032) | linux:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| AccessedFile | Tune based on file paths such as '/etc/passwd', '/etc/group', '/etc/shadow'. |
| ParentProcessName | Filter known admin processes to reduce false positives. |
Detection of user account enumeration through tools like dscl, dscacheutil, or loginshell enumeration via command-line.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process event |
| Field | Description |
|---|---|
| CommandLine | Tune for dscl -list, dscacheutil -q user, id -un, etc. |
| ExecutionContext | Alert if enumeration is performed in non-console session or by unusual users. |
Detection of API calls listing users, IAM roles, or groups in cloud environments.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | AWS:CloudTrail | DescribeUsers / ListUsers / GetUser |
| Field | Description |
|---|---|
| API_Method | Tune based on which IAM APIs are used and their frequency. |
| CallerType | Differentiate user-initiated from automated/scripted enumeration. |
Enumeration of user or role objects via IdP API endpoints or LDAP queries.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | azure:signinlogs | Graph API Query |
| User Account Metadata (DC0013) | saas:okta | User Enumeration Events |
| Field | Description |
|---|---|
| QueryType | Detect user vs role enumeration. Tune based on query scope. |
| AppContext | Correlate enumeration with unexpected app registrations or identities. |
Account enumeration via esxcli, vim-cmd, or API calls to vSphere.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:vpxd | vCenter Management |
| Field | Description |
|---|---|
| CommandPattern | Tune based on known enumeration commands: 'vim-cmd vimsvc/auth/userlist'. |
| PrivilegedSession | Elevated enumeration from vpxuser or root may indicate threat activity. |
Account enumeration via bulk access to user directory features or hidden APIs.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | gcp:audit | Directory API Access |
| Field | Description |
|---|---|
| EndpointURL | Tune based on enumeration from directory endpoints such as /users, /groups. |
| UserAgent | Detect scripted enumeration via curl/wget or unknown tools. |
Account discovery via VBA macros, COM objects, or embedded scripting.
| Data Component | Name | Channel |
|---|---|---|
| Script Execution (DC0029) | m365:unified | Scripted Activity |
| Field | Description |
|---|---|
| MacroName | Alert on auto-running macros accessing directory or user info. |
| ExecutionScope | Focus on macros invoking LDAP, ADODB, or WMI queries. |