Skip to content

DC0013 User Account Metadata

Item Value
ID DC0013
Version 2.0
Created 20 October 2021
Last Modified 21 October 2025

Log Sources

Name Channel
auditd:SYSCALL open,openat,read
AWS:CloudTrail AssumeRole
AWS:CloudTrail GetAccountPasswordPolicy
AWS:CloudTrail PassRole
AWS:CloudTrail AssumeRole: Discovery actions tied to assumed identities outside of normal context
azure:activity Azure CLI Operation: Microsoft.Graph/users/read
azure:audit operation contains ‘GetPasswordPolicy’ OR ‘ListAuthenticationPolicy’ OR ‘Get-ADDefaultDomainPasswordPolicy’
CloudTrail:GetCallerIdentity GetCallerIdentity
Defender for Identity Suspicious Enumeration of Cloud Directory
gcp:audit Directory API Access: users.list or groups.list
gcp:audit IAM API call: serviceAccounts.list or projects.getIamPolicy
gcp:audit Directory API Access
gcp:iam PrincipalEmail with serviceAccountTokenCreator impersonating new identity
Google Admin Audit users.list, groups.list
linux:osquery Listing of /etc/passwd and /etc/shadow metadata
m365:unified Workload=AzureActiveDirectory OR Exchange AND (Operation=Cmdlet AND Parameters contains ‘Password’ AND (CmdletName=’Get-*’ OR CmdletName=’Get-OrganizationConfig’))
macos:MDM profiles -P
macos:unifiedlog Creation of user account with UID <500
Microsoft Entra ID Audit Logs RoleManagement.Read.Directory or Directory.Read.All
Microsoft Graph API Logs users.list, directoryObjects.getByIds
saas:auth Refresh token issuance or refresh token usage from new IPs or user agents
saas:okta User lifecycle events
saas:okta User Enumeration Events
vpxd.log vCenter Management
windows:osquery User enumeration with creation/last modified timestamps
WinEventLog:Security EventCode=4720, 4738
WinEventLog:Security EventCode=4673
WinEventLog:Security EventCode=4674

Detection Strategy

ID Name Technique Detected
DET0136 Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows) T1134.005
DET0338 Behavioral Detection Strategy for Use Alternate Authentication Material (T1550) T1550
DET0386 Cloud Account Enumeration via API, CLI, and Scripting Interfaces T1087.004
DET0507 Detect browser session hijacking via privilege, handle access, and remote thread into browsers T1185
DET0247 Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS) T1535
DET0363 Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence T1003.001
DET0402 Detection Strategy for Cloud Service Discovery T1526
DET0147 Detection Strategy for Cloud Service Hijacking via SaaS Abuse T1496.004
DET0316 Detection Strategy for Disk Content Wipe via Direct Access and Overwrite T1561.001
DET0297 Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite T1561.002
DET0137 Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands T1561
DET0353 Detection Strategy for Hidden User Accounts T1564.002
DET0383 Detection Strategy for Masquerading via Account Name Similarity T1036.010
DET0393 Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005) T1548.005
DET0176 Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) T1189
DET0229 Enumeration of Global Address Lists via Email Account Discovery T1087.003
DET0587 Enumeration of User or Account Information Across Platforms T1087
DET0303 Local Account Enumeration Across Host Platforms T1087.001
DET0484 Multi-Platform Cloud Storage Exfiltration Behavior Chain T1530
DET0161 Password Policy Discovery – cross-platform behavior-chain analytics T1201