Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as
net user /domain and
net group /domain of the Net utility,
dscacheutil -q groupon macOS, and
ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including
Get-ADGroupMember may enumerate members of Active Directory groups.
Bankshot gathers domain and account names/information through process monitoring.
Bazar has the ability to identify domain administrator accounts.
BlackCat can utilize
BloodHound can collect information about domain users, including identification of domain admin accounts.
BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.
BRONZE BUTLER has used
|S1063||Brute Ratel C4||
Brute Ratel C4 can use LDAP queries,
Chimera has has used
Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.
CrackMapExec can enumerate the domain user accounts on a targeted system.
Dragonfly has used batch scripts to enumerate users on a victim domain controller.
dsquery can be used to gather information on user accounts within a domain.
Empire can acquire local and domain user account information.
FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.
Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.
The IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server.
IcedID can query LDAP to identify additional users on the network to infect.
Ke3chang performs account discovery using commands such as
LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.
menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.
MuddyWater has used
Net commands used with the
OilRig has run
During Operation CuckooBees, the threat actors used the
|C0022||Operation Dream Job||
During Operation Dream Job, Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts.
During Operation Wocao, threat actors used the
Poseidon Group searches for administrator accounts on both the local victim machine and the network.
PoshC2 can enumerate local and domain user account information.
POWRUNER may collect user account information by running
Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.
SILENTTRINITY can use
During the SolarWinds Compromise, APT29 used PowerShell to discover domain accounts by exectuing
SoreFang can enumerate domain accounts via
Sykipot may use
Turla has used
Valak has the ability to enumerate domain admin accounts.
Wizard Spider has identified domain admins through the use of "net group ‘Domain admins’" commands.
|M1028||Operating System Configuration||
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at
|ID||Data Source||Data Component||Detects|
Monitor for execution of commands and arguments associated with enumeration or information gathering of domain accounts and groups, such as
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
|DS0029||Network Traffic||Network Traffic Content||
Monitor and analyze traffic patterns and packet inspection associated to LDAP and MSRPC that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure).
|DS0009||Process||OS API Execution||
Monitor for API calls that may attempt to gather information about domain accounts such as type of user, privileges and groups.
Monitor for processes that can be used to enumerate domain accounts and groups, such as