ID | Name |
---|---|
T1087.001 | Local Account |
T1087.002 | Domain Account |
T1087.003 | Email Account |
T1087.004 | Cloud Account |
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Commands such as net user /domain
and net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain users and groups.
ID | Name | Description |
---|---|---|
S0552 | AdFind | |
S0239 | Bankshot |
Bankshot gathers domain and account names/information through process monitoring.[4] |
S0534 | Bazar |
Bazar has the ability to identify domain administrator accounts.[5][6] |
S0521 | BloodHound |
BloodHound can collect information about domain users, including identification of domain admin accounts.[7] |
S0635 | BoomBox |
BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.[8] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used |
G0114 | Chimera |
Chimera has has used |
S0154 | Cobalt Strike |
Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.[12] |
S0488 | CrackMapExec |
CrackMapExec can enumerate the domain user accounts on a targeted system.[13] |
G0074 | Dragonfly 2.0 |
Dragonfly 2.0 used batch scripts to enumerate users on a victim domain controller.[14] |
S0105 | dsquery |
dsquery can be used to gather information on user accounts within a domain.[15] |
S0363 | Empire |
Empire can acquire local and domain user account information.[16] |
G0037 | FIN6 |
FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[17] |
G0117 | Fox Kitten |
Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.[18] |
S0483 | IcedID |
IcedID can query LDAP to identify additional users on the network to infect.[19] |
G0004 | Ke3chang |
Ke3chang performs account discovery using commands such as |
G0045 | menuPass |
menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.[21] |
G0069 | MuddyWater |
MuddyWater has used |
S0039 | Net |
Net commands used with the |
G0049 | OilRig |
OilRig has run |
G0116 | Operation Wocao |
Operation Wocao has used the |
S0165 | OSInfo | |
G0033 | Poseidon Group |
Poseidon Group searches for administrator accounts on both the local victim machine and the network.[27] |
S0378 | PoshC2 |
PoshC2 can enumerate local and domain user account information.[28] |
S0184 | POWRUNER |
POWRUNER may collect user account information by running |
G0034 | Sandworm Team |
Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.[30] |
S0516 | SoreFang |
SoreFang can enumerate domain accounts via |
S0603 | Stuxnet | |
S0018 | Sykipot |
Sykipot may use |
G0010 | Turla |
Turla has used |
S0476 | Valak |
Valak has the ability to enumerate domain admin accounts.[35] |
G0102 | Wizard Spider |
Wizard Spider has identified domain admins through the use of "net group ‘Domain admins’" commands.[6] |
ID | Mitigation | Description |
---|---|---|
M1028 | Operating System Configuration |
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | Process Creation |
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.