Description
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
Platforms
Mitigations (1)
Operating System ConfigurationM1028
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components
Threat Groups (29)
| ID | Group | Context |
|---|---|---|
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) can identify user accounts associated with a Service Principal Name and query Service Principal Names w... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used Metasploit’s [PsExec](https://attack.mitre.org/software/S0029) NTDSGRAB module to obtain a copy... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used native Windows tools to obtain domain user information.(Citation: Trend Micro Earth Kasha... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used built-in <code>net</code> commands to enumerate domain administrator users.(Citation: Rostovcev AP... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs account discovery using commands such as <code>net localgroup administrators</code> and <co... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has enumerated legitimate domain accounts which are used in the targeted environment.(Citati... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized [AdFind](https://attack.mitre.org/software/S0552) to identify domain users.(Citati... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has used `net` commands and tools such as [AdFind](https://attack.mitre.org/software/S0552) to ... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used <code>cmd.exe net user /domain</code> to enumerate domain users.(Citation: Trend Micro Mu... |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has scanned for domain admin accounts in compromised environments.(Citation: SOCRadar INC Ransom J... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has used the AD Explorer tool to enumerate users on a victim's network.(Citation: MSTIC DEV-0537 Mar ... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has has used <code>net user /dom</code> and <code>net user Administrator</code> to enumerate domain a... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used the Microsoft administration tool csvde.exe to export Active Directory data.(Citation: PWC ... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized ADRecon to enumerate the active directory environment.(Citation: Check Point VOID... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has run <code>net user</code>, <code>net user /domain</code>, <code>net group “domain admins” /domain<... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has run `net user %USER% /dom` for account discovery.(Citation: Kaspersky ToddyCat Check Logs Octobe... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>net user /domain</code> to enumerate domain accounts.(Citation: ESET ComRAT May 2020) |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) has used tools such as [AdFind](https://attack.mitre.org/software/S0552) to identify and enumerate ... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has identified domain admins through the use of `net group "Domain admins" /DOMAIN`. [Wizard Sp... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used the Softerra LDAP browser to browse documentation on service accounts.(Citation: CISA AA2... |
Associated Software (28)
| ID | Name | Type | Context |
|---|---|---|---|
| S1159 | DUSTTRAP | Malware | [DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate domain accounts.(Citation: Google Cloud APT41 2024) |
| S0516 | SoreFang | Malware | [SoreFang](https://attack.mitre.org/software/S0516) can enumerate domain accounts via <code>net.exe user /domain</code>.(Citation: CISA SoreFang July ... |
| S0039 | Net | Tool | [Net](https://attack.mitre.org/software/S0039) commands used with the <code>/domain</code> flag can be used to gather information about and manipulate... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) has the ability to identify domain administrator accounts.(Citation: NCC Group Team9 June 2020)(Citat... |
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can enumerate the domain user accounts on a targeted system.(Citation: CME Github September 20... |
| S1146 | MgBot | Malware | [MgBot](https://attack.mitre.org/software/S1146) includes modules for collecting information on Active Directory domain accounts.(Citation: Symantec D... |
| S0018 | Sykipot | Malware | [Sykipot](https://attack.mitre.org/software/S0018) may use <code>net group "domain admins" /domain</code> to display accounts in the "domain admins" p... |
| S0635 | BoomBox | Malware | [BoomBox](https://attack.mitre.org/software/S0635) has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and... |
| S0105 | dsquery | Tool | [dsquery](https://attack.mitre.org/software/S0105) can be used to gather information on user accounts within a domain.(Citation: TechNet Dsquery)(Cita... |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) can utilize `net use` commands to identify domain users.(Citation: Microsoft BlackCat Jun 2022) |
| S0521 | BloodHound | Tool | [BloodHound](https://attack.mitre.org/software/S0521) can collect information about domain users, including identification of domain admin accounts.(C... |
| S9035 | LAMEHUG | Malware | [LAMEHUG](https://attack.mitre.org/software/S9035) can use [dsquery](https://attack.mitre.org/software/S0105) to enumerate domain user information.(Ci... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can acquire local and domain user account information.(Citation: Github PowerShell Empire)(Citation:... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) can enumerate local and domain user account information.(Citation: GitHub PoshC2) |
| S0184 | POWRUNER | Malware | [POWRUNER](https://attack.mitre.org/software/S0184) may collect user account information by running <code>net user /domain</code> or a series of other... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can use `System.Security.AccessControl` namespaces to retrieve domain user information.(Citat... |
| S9037 | RustyWater | Malware | [RustyWater](https://attack.mitre.org/software/S9037) has gathered the domain membership of the victim machine’s user.(Citation: CloudSEK_RustyWater_J... |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) enumerates user accounts of the domain.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febru... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can determine if the user on an infected machine is in the admin or domain admin group.(Citat... |
| S0483 | IcedID | Malware | [IcedID](https://attack.mitre.org/software/S0483) can query LDAP and can use built-in `net` commands to identify additional users on the network to in... |
References
Frequently Asked Questions
What is T1087.002 (Domain Account)?
T1087.002 is a MITRE ATT&CK technique named 'Domain Account'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific account...
How can T1087.002 be detected?
Detection of T1087.002 (Domain Account) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1087.002?
There are 1 documented mitigations for T1087.002. Key mitigations include: Operating System Configuration.
Which threat groups use T1087.002?
Known threat groups using T1087.002 include: FIN13, FIN6, MirrorFace, APT41, Ke3chang, Scattered Spider, Mustang Panda, Lotus Blossom.