DET0129 Domain Account Enumeration Across Platforms

Analytics

Adversary enumeration of domain accounts using net.exe, PowerShell, WMI, or LDAP queries from non-domain controllers or non-admin endpoints.

Field	Description
CommandLinePattern	Detect variations of ‘net user /domain’, ‘Get-ADUser’, ‘Get-ADGroupMember’.
TimeWindow	Tune detection for bursts of enumeration commands or search queries.
SourceHost	Restrict detection to non-DC or non-admin systems where such commands are unexpected.

Domain account enumeration using ldapsearch, samba tools (e.g., ‘wbinfo -u’), or winbindd lookups.

Field	Description
ProcessName	Detect suspicious use of ldapsearch, wbinfo, getent passwd, or samba enumeration tools.
LDAPSearchFilter	Tune for high-volume or broad-scope LDAP queries.
UserContext	Apply filters for unexpected users or service accounts executing the behavior.

Domain group and user enumeration via dscl or dscacheutil, or queries to directory services from non-admin endpoints.

Data Component	Name	Channel
Process Creation (DC0032)	macos:unifiedlog	Process Execution
Command Execution (DC0064)	macos:unifiedlog	DS daemon log entries

Field	Description
CommandPattern	Match patterns such as ‘dscl /Active\ Directory/All\ Domains -list /Users’.
EndpointRole	Flag this activity only on non-directory hosts or non-admin accounts.