Account Discovery: Domain Account, Sub-technique T1087.002 - Enterprise (original) (raw)
AdFind can enumerate domain users.[2][3][4][5][6]
APT41 used built-in net commands to enumerate domain administrator users.[7]
Bankshot gathers domain and account names/information through process monitoring.[8]
Bazar has the ability to identify domain administrator accounts.[9][10]
BlackByte has used tools such as AdFind to identify and enumerate domain accounts.[11]
BlackCat can utilize net use commands to identify domain users.[12]
BloodHound can collect information about domain users, including identification of domain admin accounts.[13]
BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.[14]
BRONZE BUTLER has used net user /domain to identify account information.[15]
Brute Ratel C4 can use LDAP queries, net group "Domain Admins" /domain and net user /domain for discovery.[16][17]
Chimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts.[18][19]
Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.[20]
CrackMapExec can enumerate the domain user accounts on a targeted system.[21]
Dragonfly has used batch scripts to enumerate users on a victim domain controller.[22]
dsquery can be used to gather information on user accounts within a domain.[23][24]
DUSTTRAP can enumerate domain accounts.[25]
Empire can acquire local and domain user account information.[26][27]
FIN13 can identify user accounts associated with a Service Principal Name and query Service Principal Names within the domain by utilizing the following scripts: GetUserSPNs.vbs and querySpn.vbs.[28][29]
FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[30]
FIN7 has used the PowerShell script 3CF9.ps1 and the executable WsTaskLoad to enumerate domain administrations by executing net group "Domain Admins" /domain.[31] FIN7 has also used csvde.exe, which is a built-in Windows command line tool, to export Active Directory information.
Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.[32]
The IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server.[33]
IcedID can query LDAP and can use built-in net commands to identify additional users on the network to infect.[34][35]
INC Ransom has scanned for domain admin accounts in compromised environments.[36]
Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[37]
LAMEHUG can use dsquery to enumerate domain user information.[38]
LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.[39][40]
Latrodectus can run C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain to identify domain administrator accounts.[41]
Lotus Blossom has used net commands and tools such as AdFind to profile domain accounts associated with victim machines and make Active Directory queries.[42][43]
menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.[44]
MgBot includes modules for collecting information on Active Directory domain accounts.[45]
MirrorFace has used native Windows tools to obtain domain user information.[46]
MuddyWater has used cmd.exe net user /domain to enumerate domain users.[47]
Mustang Panda has utilized AdFind to identify domain users.[48]
Net commands used with the /domain flag can be used to gather information about and manipulate user accounts on the current domain.[49]
OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim.[50]
During Operation CuckooBees, the threat actors used the dsquery and dsget commands to get domain environment information and to query users in administrative groups.[51]
During Operation Dream Job, Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts.[52]
During Operation Wocao, threat actors used the net command to retrieve information about domain accounts.[53]
OSInfo enumerates local and domain users[54]
Poseidon Group searches for administrator accounts on both the local victim machine and the network.[55]
PoshC2 can enumerate local and domain user account information.[56]
POWRUNER may collect user account information by running net user /domain or a series of other commands on a victim.[57]
Qilin can use PowerShell cmdlets to enumerate domain users.[58]
RedCurl has collected information about domain accounts using SysInternal’s AdExplorer functionality .[59][60]
RustyWater has gathered the domain membership of the victim machine’s user.[61]
Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.[62]
Scattered Spider has enumerated legitimate domain accounts which are used in the targeted environment.[63][64][65][66]
SILENTTRINITY can use System.Security.AccessControl namespaces to retrieve domain user information.[67]
During the SolarWinds Compromise, APT29 used PowerShell to discover domain accounts by exectuing Get-ADUser and Get-ADGroupMember.[1][68]
SoreFang can enumerate domain accounts via net.exe user /domain.[69]
Storm-0501 has utilized an obfuscated version of the Active Directory reconnaissance tool ADRecon.ps1 (obfs.ps1 or recon.ps1) to discover domain accounts.[70]
Storm-1811 has performed domain account enumeration during intrusions.[71]
Stuxnet enumerates user accounts of the domain.[72]
Sykipot may use net group "domain admins" /domain to display accounts in the "domain admins" permissions group and net localgroup "administrators" to list local system administrator group membership.[73]
ToddyCat has run net user %USER% /dom for account discovery.[74]
Turla has used net user /domain to enumerate domain accounts.[75]
Valak has the ability to enumerate domain admin accounts.[76]
VOID MANTICORE has utilized ADRecon to enumerate the active directory environment.[77]
Volt Typhoon has run net group /dom and net group "Domain Admins" /dom in compromised environments for account discovery.[78][79]
Wizard Spider has identified domain admins through the use of net group "Domain admins" /DOMAIN. Wizard Spider has also leveraged the PowerShell cmdlet Get-ADComputer to collect account names from Active Directory data.[10][80]