Skip to content

DET0360 Behavioral Detection of Domain Group Discovery

Item Value
ID DET0360
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1069.002 (Domain Groups)

Analytics

Windows

AN1025

Detection of domain group enumeration through command-line utilities such as ‘net group /domain’ or PowerShell cmdlets, followed by suspicious access to API calls or LSASS memory.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Mutable Elements
Field Description
TimeWindow Adjustable window to track chained discovery activity (e.g., 5-10 minutes).
UserContext Tune to focus on non-admin users or service accounts performing enumeration.
ProcessLineageDepth How far back the parent-child process chain is correlated.

Linux

AN1026

Behavioral detection of domain group enumeration via ldapsearch or custom scripts leveraging LDAP over the network.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Command Execution (DC0064) linux:syslog sshd logs
Network Traffic Content (DC0085) NSM:Flow ldap.log
Mutable Elements
Field Description
LDAPQueryDepth Tunable based on number of LDAP queries before flagging suspicious behavior.
CommandPattern Pattern matching against common ldapsearch or shell enumeration flags.

macOS

AN1027

Enumeration of domain groups using dscacheutil or dscl commands, often following initial login or domain trust queries.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process events
Mutable Elements
Field Description
CommandSignatureThreshold Defines how strictly command patterns must match known enumeration syntax.
TimeWindow Adjustable window to correlate chained behavior such as group enumeration followed by user targeting.