AN0848: Analytic 0848

This analytic is about spotting local user enumeration on macOS, where commands or file access are used to discover accounts present on an endpoint. For leaders, the value is not that enumeration alone proves compromise, but that it can be an early warning that someone or something is mapping identities before follow-on activity. It matters most in environments where macOS endpoints have privileged users, developer access, administrative tools, or sensitive business workflows.

Executive priority

Prioritize this as an endpoint and identity visibility check for macOS fleets. Security leaders should ask whether SOC and IR teams can see basic account-discovery behavior on managed Macs, whether that evidence is retained long enough for investigations, and whether local account inventory is governed as part of endpoint hardening and audit readiness. Because the ATT&CK object provides no official detection logic or relationship context, treat it as a coverage validation item rather than a standalone risk indicator.

Technical view

Validate telemetry for macOS activity involving dscl, id, dscacheutil, and access to /etc/passwd. Detection engineering should focus on command execution context, parent process, user, host role, frequency, and whether the activity is expected for administration, inventory, help desk tooling, or security software. Since no ATT&CK tactic or detection text is supplied, avoid over-weighting this behavior by itself; use it as a signal to enrich with surrounding endpoint, authentication, and process activity.

Likely telemetry

macOS process execution events for dscl, id, and dscacheutil
Command-line arguments where available
File access or read events involving /etc/passwd where collected
Parent-child process relationships
User and host identity context

Detection direction

Confirm that macOS endpoint telemetry captures the named utilities and relevant command-line context.
Tune for suspicious context rather than command presence alone, because legitimate administrators, scripts, inventory tools, and security products may enumerate local users.
Compare activity against known management tooling and standard operating procedures for Mac administration.
Correlate enumeration with nearby unusual process launches, privilege changes, authentication events, or other endpoint signals when available.
Identify blind spots on unmanaged Macs, developer workstations, short-retention endpoint logs, or telemetry that omits command-line details.

Mitigation priorities

Maintain accurate inventory and management coverage for macOS endpoints.
Limit unnecessary local accounts and review privileged local users on Macs.
Apply least-privilege administration practices for macOS support and operations.
Ensure endpoint logging or EDR policy captures process execution and relevant file access evidence.
Document approved administrative enumeration tools and workflows so SOC teams can distinguish expected activity from unusual discovery.

Analyst notes and limits

The object is a detection analytic for macOS local user enumeration using dscl, id, dscacheutil, or /etc/passwd access. No relationships, tactic mapping, or official detection logic were supplied, so this take emphasizes practical validation of visibility and triage context rather than a specific rule.

This assessment is limited to the supplied ATT&CK analytic fields and the single external reference. It does not establish adversary attribution, active exploitation, impact, or guaranteed detectability. Local baselines, endpoint tooling, log retention, and macOS management practices are required to determine operational coverage.

Official MITRE ATT&CK definition

Analytic 0848

Enumeration of macOS local users using dscl, id, dscacheutil, or /etc/passwd access.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: d4a97846e1e760e8...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`d4a97846e1e7…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0848
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams