AN1614: Analytic 1614
Detection of account enumeration through directory service queries or system utilities accessing account metadata stores, followed by structured enumeration output.
Analyst context for executives and security teams
This analytic is about detecting account enumeration on macOS: activity where directory service queries or system utilities access account metadata stores and produce structured lists of accounts. For leaders, the significance is identity visibility. Account enumeration can help an intruder understand who exists in the environment and which accounts may be useful later, so coverage depends on whether macOS identity and command activity are actually logged and reviewable.
Executive priority
Prioritize this as an identity and SOC readiness validation item for macOS environments. Security leaders should ask whether endpoint telemetry can show account metadata access, whether SOC content distinguishes legitimate administration from unusual enumeration, and whether incident responders can quickly answer which accounts were queried. Because ATT&CK provides no specific detection logic or related technique context here, this should be treated as a coverage gap assessment rather than proof of current detection maturity.
Technical view
For SOC and detection teams, validate telemetry around macOS directory service queries, system utilities that access account metadata stores, and command or process output patterns consistent with structured enumeration. The supplied ATT&CK object does not provide a detection query, tactic, or relationship context, so teams should map this analytic to local macOS logging sources, normal administrative workflows, and identity infrastructure dependencies before operationalizing alerts.
Likely telemetry
- macOS process execution telemetry for system utilities that query account or directory information
- Command-line arguments or equivalent endpoint metadata, where collected
- Directory service query events or logs, where available
- File, pipe, terminal, or process output indicators showing structured account enumeration results, where observable
- Endpoint security or EDR events from macOS hosts
Detection direction
- Confirm that macOS hosts produce sufficient endpoint telemetry to observe account metadata queries and related utilities.
- Baseline legitimate administrative, help desk, inventory, and compliance tooling that may enumerate accounts to reduce false positives.
- Look for sequences where account metadata stores are accessed and followed by structured enumeration output, rather than relying on utility execution alone.
- Treat missing command-line, directory service, or output visibility as a material blind spot.
- Because no ATT&CK detection logic is supplied, require local validation before converting this into alerting or reporting evidence.
Mitigation priorities
- Ensure macOS endpoint logging and retention support investigation of account enumeration activity.
- Restrict account and directory metadata access according to least privilege where operationally feasible.
- Review administrative tooling that performs account inventory so it is documented, expected, and distinguishable from unusual activity.
- Use incident response playbooks to define how analysts should scope queried accounts and affected hosts when enumeration is suspected.
- Maintain compliance evidence showing which macOS identity-related telemetry is collected, retained, and monitored.
Analyst notes and limits
This object is a detection analytic, not a technique description. It is limited to macOS and describes account enumeration through directory service queries or system utilities accessing account metadata stores, followed by structured enumeration output. No tactics, aliases, labels, official detection logic, or relationship context were supplied.
The ATT&CK fields provided do not include a detection query, related techniques, data components, mitigations, or examples. Local environment evidence is required to determine applicable utilities, normal administrative behavior, logging coverage, alert thresholds, and investigative procedures.
Analytic 1614
Detection of account enumeration through directory service queries or system utilities accessing account metadata stores, followed by structured enumeration output.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6baab339d661… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1614Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.