T1087.002: Domain Account
| View on MITRE ATT&CK | T1087.002 |
|---|---|
| Tactic(s) | Discovery |
Data from MITRE ATT&CK®:
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Group Enumeration (Group)
An extracted list of available groups and/or their associated settings (ex: AWS list-groups)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)OS API Execution (Process)
Operating system function/method calls executed by a processControl Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Suspicious LAPS Attributes Query with adfind all properties
Enumerate all accounts via PowerShell (Domain)
Wevtutil - Discover NTLM Users Remote
Adfind - Enumerate Active Directory Exchange AD Objects
Enumerate Default Domain Admin Details (Domain)
Adfind - Enumerate Active Directory Admins
Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
Enumerate Active Directory for Unconstrained Delegation
Enumerate Active Directory Users with ADSISearcher
Enumerate Linked Policies In ADSISearcher Discovery
Account Enumeration with LDAPDomainDump
Enumerate Root Domain linked policies Discovery
Adfind -Listing password policy
Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
Automated AD Recon (ADRecon)
Get-DomainUser with PowerView
Active Directory Domain Search
Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
Enumerate all accounts (Domain)
Enumerate logged on users via CMD (Domain)
Kerbrute - userenum
Adfind - Enumerate Active Directory User Objects
Suspicious LAPS Attributes Query with Get-ADComputer all properties
WinPwn - generaldomaininfo
Sigma Detections for this Technique
PUA - AdFind Suspicious Execution
Malicious PowerShell Commandlets - ScriptBlock
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
Malicious PowerShell Commandlets - ProcessCreation
Reconnaissance Activity
Malicious PowerShell Commandlets - PoshModule
BloodHound Collection Files
Renamed AdFind Execution
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
AD Privileged Users or Groups Reconnaissance
Active Directory Computers Enumeration With Get-AdComputer
Potential AD User Enumeration From Non-Machine Account
Potential Active Directory Reconnaissance/Enumeration Via LDAP
HackTool - Bloodhound/Sharphound Execution
Suspicious Use of PsLogList
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.