diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml
new file mode 100644
index 00000000000..f2b9bf89c3e
--- /dev/null
+++ b/rules/macos/discovery_users_domain_built_in_commands.toml
@@ -0,0 +1,50 @@
+[metadata]
+creation_date = "2021/01/12"
+maturity = "production"
+updated_date = "2021/01/12"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of macOS built-in commands related to account or group enumeration.
+"""
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License"
+name = "Enumeration of Users or Groups via Built-in Commands"
+risk_score = 21
+rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff"
+severity = "low"
+tags = ["Elastic", "Host", "macOS", "Threat Detection", "Discovery"]
+type = "eql"
+
+query = '''
+process where event.type in ("start", "process_started") and
+  not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", 
+    "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence") and 
+  process.name : ("ldapsearch", "dsmemberutil") or
+  (process.name : "dscl" and 
+     process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and 
+     process.args : ("/Active Directory/*", "/Users*", "/Groups*"))
+
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1069"
+name = "Permission Groups Discovery"
+reference = "https://attack.mitre.org/techniques/T1069/"
+
+[[rule.threat.technique]]
+id = "T1087"
+name = "Account Discovery"
+reference = "https://attack.mitre.org/techniques/T1087/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"