Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0365: Analytic 0365

Domain group and user enumeration via dscl or dscacheutil, or queries to directory services from non-admin endpoints.

EnterpriseAN0365AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic points to a macOS identity-discovery behavior: attempts to enumerate domain groups and users using dscl, dscacheutil, or directory service queries from non-admin endpoints. For leaders, the significance is not the tools themselves, which can have legitimate administrative uses, but whether the organization can distinguish normal Mac directory lookups from suspicious reconnaissance that may precede account misuse, privilege targeting, or broader intrusion activity.

Executive priority

Prioritize this as an identity and endpoint visibility validation item for macOS environments. Security leaders should ask whether SOC teams can see directory enumeration from Macs, whether non-admin endpoint activity is baselined, and whether incident responders can quickly determine if enumeration is expected support activity or suspicious discovery. This also supports compliance evidence around monitoring of identity-related activity, but ATT&CK provides no detection logic or relationship context here, so local validation is required before treating it as covered.

Technical view

For SOC and detection teams, validate monitoring for macOS execution or activity involving dscl, dscacheutil, and queries to directory services, especially from non-admin endpoints. Because the ATT&CK object does not specify tactics, relationships, or detection logic, treat this as a detection-design prompt rather than a ready analytic. Focus on distinguishing routine enterprise Mac behavior, IT support workflows, and directory-integrated applications from unusual user/group enumeration patterns, unexpected hosts, unexpected users, or activity outside normal administration context.

Likely telemetry

  • macOS process execution telemetry showing command name, arguments where available, user, parent process, host, and timestamp
  • Endpoint security or EDR events for dscl and dscacheutil execution
  • Directory service query telemetry or logs where available
  • Endpoint identity context, including whether the initiating user or device is expected to perform administrative or support activity
  • Asset inventory identifying macOS endpoints and role or ownership context

Detection direction

  • Confirm that macOS endpoint telemetry captures dscl and dscacheutil execution with enough detail to assess intent, including command-line arguments where policy and tooling allow.
  • Baseline legitimate directory lookups from IT administrators, management tools, login processes, and enterprise applications before alerting broadly.
  • Prioritize review of enumeration from non-admin endpoints, unusual users, unusual parent processes, newly seen hosts, or spikes in directory lookup activity.
  • Avoid assuming every dscl or dscacheutil event is malicious; these utilities may be used for normal macOS and administrative operations.
  • Because no ATT&CK detection text or relationships are supplied, map this analytic to local incident hypotheses and test it against real macOS administrative workflows.

Mitigation priorities

  • Establish endpoint visibility for macOS process and directory-service activity before relying on this analytic operationally.
  • Limit directory-query privileges and administrative access according to least-privilege principles where supported by the environment.
  • Document approved Mac administration and support workflows so SOC teams can separate expected enumeration from suspicious discovery.
  • Use asset and identity context to prioritize alerts from sensitive systems, unmanaged endpoints, or users without an administrative role.
  • Include this behavior in incident response playbooks for identity reconnaissance on macOS, with triage steps based on local telemetry and business context.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS only. It describes domain group and user enumeration via dscl, dscacheutil, or directory service queries from non-admin endpoints. No official detection logic, tactic mapping, aliases, labels, or relationship context were supplied, so this take emphasizes validation, telemetry readiness, and local baselining rather than a specific detection rule.

This assessment is limited to the supplied official STIX fields, external reference, and the absence of relationships. It does not establish prevalence, adversary use, impact, attribution, or guaranteed detectability. Organizations need local macOS telemetry, identity context, and administrative workflow knowledge to determine risk and detection quality.

Official MITRE ATT&CK definition

Analytic 0365

Domain group and user enumeration via dscl or dscacheutil, or queries to directory services from non-admin endpoints.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
56694a186dbaf71b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 56694a186dba…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0365
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use