Discovery of Domain Groups

Identify usage of known commands for discovery of local groups

id:cd2124cb-718d-4ecf-bc96-5571f8e3dbce
categories:enrich
confidence:low
os:linux, macos
created:7/26/2019
updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Discovery
techniques:T1069 Permission Groups Discovery

Query

process where subtype.create and (
  process_name in ("ldapsearch", "dscacheutil") or
  process_name == "dscl" and command_line == "*-list*"
)

Contributors