AN1027: Analytic 1027
Enumeration of domain groups using dscacheutil or dscl commands, often following initial login or domain trust queries.
Analyst context for executives and security teams
This analytic describes a macOS-focused signal: use of built-in directory utilities, dscacheutil or dscl, to enumerate domain groups. For security leaders, the value is not the command names alone; it is whether the organization can see early identity reconnaissance from managed Macs, especially after login or domain trust-related activity. If this telemetry is missing, attackers or unauthorized users may be able to map group membership and privilege paths before the SOC has useful evidence.
Executive priority
Prioritize this as an identity and endpoint visibility question for macOS environments. Leaders should ask whether managed detection and incident response teams can prove collection of macOS process execution and directory service activity, and whether group-enumeration behavior can be reviewed during investigations. This supports identity risk management, audit evidence for endpoint monitoring, and faster incident scoping when suspicious activity follows authentication or domain trust events.
Technical view
Validate monitoring for macOS execution of dscacheutil and dscl where arguments indicate domain group enumeration. Because ATT&CK provides no official detection logic and no tactic mapping for this analytic, SOC teams should treat it as a behavioral lead rather than a standalone high-confidence alert. Useful context includes user identity, host, parent process, command-line arguments, timing relative to initial login, and nearby domain trust or directory lookup activity.
Likely telemetry
- macOS process creation events
- Command-line arguments for dscacheutil and dscl
- User and host identity context
- Authentication or initial login events on macOS endpoints
- Directory service or domain trust query evidence where available
Detection direction
- Confirm that command-line visibility is enabled for macOS endpoints; process names alone may be insufficient.
- Look for dscacheutil or dscl usage consistent with domain group enumeration, then enrich with user, host, parent process, and session timing.
- Tune for legitimate administrative, help desk, identity engineering, and troubleshooting activity to reduce false positives.
- Use the official description's context: activity following initial login or domain trust queries may be more relevant than isolated use of the tools.
- Document blind spots where unmanaged Macs, privacy settings, incomplete EDR deployment, or missing command-line capture prevent review.
Mitigation priorities
- Ensure macOS endpoints that access domain resources are enrolled in endpoint monitoring and management.
- Restrict and review administrative access paths that allow broad group enumeration where business requirements permit.
- Maintain identity governance over domain groups so reconnaissance findings do not expose unnecessary privilege relationships.
- Prepare IR playbooks to correlate endpoint process activity with authentication and directory-service context.
- Use this analytic as evidence to test macOS logging coverage rather than as a guaranteed prevention control.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS with a concise description only. It identifies enumeration of domain groups using dscacheutil or dscl, often after initial login or domain trust queries. No official detection text, tactics, relationships, aliases, or labels were supplied, so local telemetry and environment baselines are required to operationalize it.
This take is limited to the official STIX fields, the MITRE external reference, and the absence of relationship context. It does not establish attacker attribution, active exploitation, business impact, or guaranteed detection coverage. Detection confidence depends on local macOS logging, command-line capture, identity context, and baseline knowledge of legitimate administration.
Analytic 1027
Enumeration of domain groups using dscacheutil or dscl commands, often following initial login or domain trust queries.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ad81d468d7c8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1027Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.