Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the Net utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CM-6 | Configuration Settings | Protects | T1087.002 | Domain Account | |
CM-7 | Least Functionality | Protects | T1087.002 | Domain Account | |
SI-4 | System Monitoring | Protects | T1087.002 | Domain Account |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1087.002 | Domain Account |
Comments
This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".
References
|
azure_sentinel | Azure Sentinel | technique_scores | T1087.002 | Domain Account |
Comments
The Azure Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious account discovery through the use of the net tool.
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1087.002 | Domain Account |
Comments
The following alert of this control is able to detect domain account discovery: "Account enumeration reconnaissance (external ID 2003)". This shouldn't occur frequently and therefore the false positive rate should be minimal.
The "Security principal reconnaissance (LDAP) (external ID 2038)" alert is also relevant and its machine learning capabilities should reduce the false positive rate.
The "User and IP address reconnaissance (SMB) (external ID 2012)" alert can also provide a detection on a variation of this sub-technique.
References
|