Skip to content

DET0093 Behavioral Detection of User Discovery via Local and Remote Enumeration

Item Value
ID DET0093
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1033 (System Owner/User Discovery)

Analytics

Windows

AN0254

Adversary launches built-in system tools (e.g., whoami, query user, net user) or scripts that enumerate user account information via local execution or remote API queries (e.g., WMI, PowerShell).

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Mutable Elements
Field Description
ParentProcessContext Identify if enumeration originates from non-interactive shell or system service
TimeWindow Tune temporal grouping of enumeration + lateral movement attempts
UserContext Flag unexpected users issuing enumeration commands (e.g., service accounts)

Linux

AN0255

Adversary runs commands like whoami, id, w, or cat /etc/passwd from non-interactive or scripting contexts to enumerate system user details.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
CommandLineRegex Tune detection based on argument presence (e.g., cat /etc/passwd vs. cat alone)
ShellContext Identify if command issued via cron, systemd, or reverse shell
AccessFrequency Define how often user/account commands are expected on endpoint

macOS

AN0256

Adversary uses dscl, who, or environment variables like $USER to identify accounts or sessions via Terminal or malicious LaunchAgents.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog subsystem:com.apple.Terminal
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
Mutable Elements
Field Description
LaunchAgentPersistence Correlate dscl usage with known persistence vectors
CommandExecutionPath Distinguish between user-initiated terminal vs. script execution
UsernameEnumerationPattern Regex-based pattern tuning for dscl . -list /Users + grep filters

Network Devices

AN0257

Adversary executes CLI commands like show users, show ssh, or attempts to dump AAA user lists from routers or switches.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) networkdevice:syslog aaa privilege_exec
Command Execution (DC0064) networkdevice:syslog eventlog
Mutable Elements
Field Description
CLICommandBaseline Expected command set per device role/user role combination
DeviceRoleSensitivity Correlate access with core vs. edge vs. management plane sensitivity
CommandFrequencyThreshold Detect burst usage of show or debug commands by non-admin users