ID | Name |
---|---|
T1087.001 | Local Account |
T1087.002 | Domain Account |
T1087.003 | Email Account |
T1087.004 | Cloud Account |
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain
and net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser
and Get-ADGroupMember
may enumerate members of Active Directory groups.[1]
ID | Name | Description |
---|---|---|
S0552 | AdFind | |
G0096 | APT41 |
APT41 used built-in |
S0239 | Bankshot |
Bankshot gathers domain and account names/information through process monitoring.[8] |
S0534 | Bazar |
Bazar has the ability to identify domain administrator accounts.[9][10] |
S1068 | BlackCat |
BlackCat can utilize |
S0521 | BloodHound |
BloodHound can collect information about domain users, including identification of domain admin accounts.[12] |
S0635 | BoomBox |
BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.[13] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used |
S1063 | Brute Ratel C4 |
Brute Ratel C4 can use LDAP queries, |
G0114 | Chimera |
Chimera has has used |
S0154 | Cobalt Strike |
Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.[19] |
S0488 | CrackMapExec |
CrackMapExec can enumerate the domain user accounts on a targeted system.[20] |
G0035 | Dragonfly |
Dragonfly has used batch scripts to enumerate users on a victim domain controller.[21] |
S0105 | dsquery |
dsquery can be used to gather information on user accounts within a domain.[22][23] |
S0363 | Empire |
Empire can acquire local and domain user account information.[24][25] |
G1016 | FIN13 |
FIN13 can identify user accounts associated with a Service Principal Name and query Service Principal Names within the domain by utilizing the following scripts: |
G0037 | FIN6 |
FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[28] |
G0117 | Fox Kitten |
Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.[29] |
S1022 | IceApple |
The IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server.[30] |
S0483 | IcedID |
IcedID can query LDAP to identify additional users on the network to infect.[31] |
G0004 | Ke3chang |
Ke3chang performs account discovery using commands such as |
G1004 | LAPSUS$ |
LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.[33][34] |
G0045 | menuPass |
menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.[35] |
G0069 | MuddyWater |
MuddyWater has used |
S0039 | Net |
Net commands used with the |
G0049 | OilRig |
OilRig has run |
C0012 | Operation CuckooBees |
During Operation CuckooBees, the threat actors used the |
C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts.[40] |
C0014 | Operation Wocao |
During Operation Wocao, threat actors used the |
S0165 | OSInfo | |
G0033 | Poseidon Group |
Poseidon Group searches for administrator accounts on both the local victim machine and the network.[43] |
S0378 | PoshC2 |
PoshC2 can enumerate local and domain user account information.[44] |
S0184 | POWRUNER |
POWRUNER may collect user account information by running |
G0034 | Sandworm Team |
Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.[46] |
G1015 | Scattered Spider |
Scattered Spider leverages legitimate domain accounts to gain access to the target environment.[47][48] |
S0692 | SILENTTRINITY |
SILENTTRINITY can use |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 used PowerShell to discover domain accounts by exectuing |
S0516 | SoreFang |
SoreFang can enumerate domain accounts via |
S0603 | Stuxnet | |
S0018 | Sykipot |
Sykipot may use |
G1022 | ToddyCat |
ToddyCat has run |
G0010 | Turla |
Turla has used |
S0476 | Valak |
Valak has the ability to enumerate domain admin accounts.[56] |
G1017 | Volt Typhoon |
Volt Typhoon has run |
G0102 | Wizard Spider |
Wizard Spider has identified domain admins through the use of |
ID | Mitigation | Description |
---|---|---|
M1028 | Operating System Configuration |
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor for execution of commands and arguments associated with enumeration or information gathering of domain accounts and groups, such as System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. |
DS0036 | Group | Group Enumeration |
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799. |
DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to LDAP and MSRPC that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). |
DS0009 | Process | OS API Execution |
Monitor for API calls that may attempt to gather information about domain accounts such as type of user, privileges and groups. |
Process Creation |
Monitor for processes that can be used to enumerate domain accounts and groups, such as |