T1087.002 Domain Account Mappings

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the Net utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-6 Configuration Settings Protects T1087.002 Domain Account
CM-7 Least Functionality Protects T1087.002 Domain Account
SI-4 System Monitoring Protects T1087.002 Domain Account
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1087.002 Domain Account
azure_sentinel Azure Sentinel technique_scores T1087.002 Domain Account
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1087.002 Domain Account