Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the Net utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-6 | Configuration Settings | Protects | T1087.002 | Domain Account |
| CM-7 | Least Functionality | Protects | T1087.002 | Domain Account |
| SI-4 | System Monitoring | Protects | T1087.002 | Domain Account |
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1087.002 | Domain Account |
| azure_sentinel | Azure Sentinel | technique_scores | T1087.002 | Domain Account |
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1087.002 | Domain Account |