AN0319: Analytic 0319
Detects use of dscl or id/group commands to enumerate local system groups, often by post-exploitation tools or persistence checks.
Analyst context for executives and security teams
This analytic is about spotting macOS local group enumeration using built-in commands such as dscl or id/group. For leaders, the value is not that group lookup is always malicious; it is that unexpected enumeration can indicate an operator or tool is mapping local privileges after gaining access or checking persistence conditions. That makes it relevant to macOS endpoint visibility, incident triage, and confidence that SOC teams can see identity and privilege discovery on managed workstations or servers.
Executive priority
Prioritize this as a macOS endpoint visibility and identity-risk validation item. Executives and security leaders should ask whether managed detection, IR, and audit evidence include command execution telemetry for macOS and whether analysts can distinguish routine administration from suspicious post-access discovery. This is most useful as part of a broader control set for endpoint monitoring, least privilege, and incident readiness rather than as a standalone high-confidence alert.
Technical view
AN0319 applies to macOS and detects use of dscl or id/group commands to enumerate local system groups. Because the official ATT&CK object provides no detection logic and no relationship context, SOC teams should treat it as a detection-validation prompt: confirm collection of macOS process execution data, command-line arguments, user context, parent process, host role, and timing. Tuning should account for legitimate IT administration, management tooling, scripts, and troubleshooting activity.
Likely telemetry
- macOS process creation events
- Command-line arguments for dscl, id, and group commands
- User account and privilege context associated with the process
- Parent process and process ancestry
- Host identity, asset role, and management status
Detection direction
- Validate that macOS command execution telemetry is collected and retained with command-line detail.
- Look for dscl or id/group usage that enumerates local groups, especially when launched by unusual parent processes, non-administrative users, newly seen users, or outside expected administrative workflows.
- Tune against known administrative scripts, device management activity, and help desk troubleshooting to reduce false positives.
- Correlate with other local discovery, persistence-checking, or post-access behaviors when available, since this analytic alone may be low-context.
- Document blind spots where unmanaged macOS assets, incomplete command-line logging, or privacy controls prevent reliable visibility.
Mitigation priorities
- Ensure macOS endpoints are enrolled in centralized endpoint monitoring with process and command-line visibility where policy permits.
- Maintain least-privilege access and review local group membership so enumeration has limited operational value to an intruder.
- Baseline authorized administrative use of dscl and id/group commands on macOS systems.
- Include this behavior in incident response playbooks as a trigger for privilege and persistence review when observed in suspicious context.
- Use findings to support compliance evidence around endpoint monitoring, privileged access review, and investigation readiness.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique entry. It has a narrow platform scope of macOS, no tactics specified, no relationships supplied, and no official detection logic. The practical value is therefore in validating telemetry and analytic coverage for local group enumeration rather than asserting a specific threat campaign or detection outcome.
No active exploitation, attribution, impact, or coverage can be inferred from the supplied fields. Local baselines are required to separate legitimate administration from suspicious enumeration. The object does not provide a query, data source list, tactic mapping, or related ATT&CK techniques in the supplied context.
Analytic 0319
Detects use of dscl or id/group commands to enumerate local system groups, often by post-exploitation tools or persistence checks.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6a3885dee529… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0319Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.