[New Rule] Enumeration of Users or Groups using Built-In Commands

## Description

**EQL:**
```
process where event.type in ("start", "process_started") and
 (process.name in ("ldapsearch", "dsmemberutil")) or
 (process.name == "dscl" and process.args:("read", "-read", "list", "-list", "ls") and process.args:("/Active Directory/*", "/Users*", "/Groups*"))
```

![image](https://user-images.githubusercontent.com/64742097/104370071-9f9a4700-551e-11eb-807c-944abf32ba5c.png)


## Required Info

- **Eventing Sources:**


- **Target Operating Systems:**


- **Platforms**


- **Target ECS Version:** x.x.x
- **New fields required in ECS for this?**
- **Related issues or PRs**

## Optional Info
- **References:**



## Example Data

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule] Enumeration of Users or Groups using Built-In Commands #847

Description

Required Info

Optional Info

Example Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[New Rule] Enumeration of Users or Groups using Built-In Commands #847

Description

Description

Required Info

Optional Info

Example Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions