EXPLORE
Sign In
← Back to Explore
T1087.002

Domain Account

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. ...

LinuxmacOSWindows
55
Detections
3
Sources
27
Threat Actors

BY SOURCE

27splunk_escu20sigma8elastic

PROCEDURES (29)

Process Creation Monitoring6 detections

Auto-extracted: 6 detections for process creation monitoring

Script Block5 detections

Auto-extracted: 5 detections for script block

General Monitoring5 detections

Auto-extracted: 5 detections for general monitoring

Script Block4 detections

Auto-extracted: 4 detections for script block

Lateral4 detections

Auto-extracted: 4 detections for lateral

Privilege3 detections

Auto-extracted: 3 detections for privilege

Powershell2 detections

Auto-extracted: 2 detections for powershell

Powershell2 detections

Auto-extracted: 2 detections for powershell

Wmi2 detections

Auto-extracted: 2 detections for wmi

Persist2 detections

Auto-extracted: 2 detections for persist

Spray2 detections

Auto-extracted: 2 detections for spray

Lateral1 detections

Auto-extracted: 1 detections for lateral

Wmi1 detections

Auto-extracted: 1 detections for wmi

Spray1 detections

Auto-extracted: 1 detections for spray

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lateral1 detections

Auto-extracted: 1 detections for lateral

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Service1 detections

Auto-extracted: 1 detections for service

Api1 detections

Auto-extracted: 1 detections for api

Api1 detections

Auto-extracted: 1 detections for api

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dump1 detections

Auto-extracted: 1 detections for dump

Persist1 detections

Auto-extracted: 1 detections for persist

Dump1 detections

Auto-extracted: 1 detections for dump

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Azure1 detections

Auto-extracted: 1 detections for azure

Azure1 detections

Auto-extracted: 1 detections for azure

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

THREAT ACTORS (27)

APT41BlackByteBRONZE BUTLERChimeraDragonflyFIN13FIN6FIN7Fox KittenINC RansomKe3changLAPSUS$Lotus BlossommenuPassMuddyWaterMustang PandaOilRigPoseidon GroupRedCurlSandworm TeamScattered SpiderStorm-0501Storm-1811ToddyCatTurlaVolt TyphoonWizard Spider

DETECTIONS (55)

Active Directory Computers Enumeration With Get-AdComputer
sigmalow
Active Directory Database Snapshot Via ADExplorer
sigmamedium
Active Directory Discovery using AdExplorer
elasticlow
Active Directory Structure Export Via Csvde.EXE
sigmamedium
AD Privileged Users or Groups Reconnaissance
sigmahigh
ADExplorer Writing Complete AD Snapshot Into .dat File
sigmamedium
AdFind Command Activity
elasticlow
AdsiSearcher Account Discovery
splunk_escu
BloodHound Collection Files
sigmahigh
Detect AzureHound Command-Line Arguments
splunk_escu
Detect AzureHound File Modifications
splunk_escu
Detect SharpHound Command-Line Arguments
splunk_escu
Detect SharpHound File Modifications
splunk_escu
Detect SharpHound Usage
splunk_escu
Domain Account Discovery with Dsquery
splunk_escu
Domain Account Discovery with Wmic
splunk_escu
Enumeration of Administrator Accounts
elasticlow
Enumeration of Users or Groups via Built-in Commands
elasticlow
Get ADUser with PowerShell
splunk_escu
Get ADUser with PowerShell Script Block
splunk_escu
Get DomainUser with PowerShell
splunk_escu
Get DomainUser with PowerShell Script Block
splunk_escu
GetWmiObject DS User with PowerShell
splunk_escu
GetWmiObject DS User with PowerShell Script Block
splunk_escu
HackTool - Bloodhound/Sharphound Execution
sigmahigh
Malicious PowerShell Commandlets - PoshModule
sigmahigh
Malicious PowerShell Commandlets - ProcessCreation
sigmahigh
Malicious PowerShell Commandlets - ScriptBlock
sigmahigh
Mounting Hidden or WebDav Remote Shares
elasticmedium
Network Traffic to Active Directory Web Services Protocol
splunk_escu
Potential Active Directory Reconnaissance/Enumeration Via LDAP
sigmamedium
Potential AD User Enumeration From Non-Machine Account
sigmamedium
Potential Enumeration via Active Directory Web Service
elasticmedium
PowerShell Suspicious Discovery Related Windows API Functions
elasticlow
PUA - AdFind Suspicious Execution
sigmahigh
PUA - AdFind.EXE Execution
sigmamedium
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
sigmahigh
Reconnaissance Activity
sigmahigh
Renamed AdFind Execution
sigmahigh
SchCache Change By App Connect And Create ADSI Object
splunk_escu
Suspicious Access to LDAP Attributes
elasticlow
Suspicious Active Directory Database Snapshot Via ADExplorer
sigmahigh
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
sigmamedium
Suspicious Use of PsLogList
sigmamedium
Windows AD Abnormal Object Access Activity
splunk_escu
Windows AD Privileged Object Access Activity
splunk_escu
Windows Domain Account Discovery Via Get-NetComputer
splunk_escu
Windows Find Domain Organizational Units with GetDomainOU
splunk_escu
Windows Find Interesting ACL with FindInterestingDomainAcl
splunk_escu
Windows Forest Discovery with GetForestDomain
splunk_escu
Windows Get Local Admin with FindLocalAdminAccess
splunk_escu
Windows Linked Policies In ADSI Discovery
splunk_escu
Windows Root Domain linked policies Discovery
splunk_escu
Windows SOAPHound Binary Execution
splunk_escu
Windows Suspect Process With Authentication Traffic
splunk_escu