Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as
net user /domain and
net group /domain of the Net utility,
dscacheutil -q groupon macOS, and
ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including
Get-ADGroupMember may enumerate members of Active Directory groups.
|Brute Ratel C4
FIN13 can identify user accounts associated with a Service Principal Name and query Service Principal Names within the domain by utilizing the following scripts:
|Operation Dream Job
Sykipot may use
Wizard Spider has identified domain admins through the use of
|Operating System Configuration
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at
Monitor for execution of commands and arguments associated with enumeration or information gathering of domain accounts and groups, such as
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
|Network Traffic Content
Monitor and analyze traffic patterns and packet inspection associated to LDAP and MSRPC that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure).
|OS API Execution
Monitor for API calls that may attempt to gather information about domain accounts such as type of user, privileges and groups.
Monitor for processes that can be used to enumerate domain accounts and groups, such as