T1087.002: Domain Account
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain
and net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser
and Get-ADGroupMember
may enumerate members of Active Directory groups.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected
hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected
hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected
hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected
mitre_attck_discovery: PT-CR-1080: Delegated_Accounts_Recon: Dump of accounts with delegation privileges from Active Directory
mitre_attck_discovery: PT-CR-1083: Ldapdomaindump_Queries: Active Directory information is dumped using ldapdomaindump
mitre_attck_discovery: PT-CR-1086: Users_Discovery_via_Skype: Domain accounts are uploaded via Skype (Lync)
hacking_tools: PT-CR-2020: SharpHound_LoggedOn: The SharpHound (BloodHound) utility was started using the LoggedOn method. This method allows you to collect information about user sessions on different domain hosts.
hacking_tools: PT-CR-2118: adPEAS_Usage: The adPEAS script for domain reconnaissance was started
unix_mitre_attck_discovery: PT-CR-1789: Unix_MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack
microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients
mitre_attck_discovery: PT-CR-319: Account_Discovery: An attempt to retrieve a list of accounts is detected
mitre_attck_discovery: PT-CR-320: Account_or_Group_discovery_via_SAM_R: An attempt to retrieve a list of accounts via SAM-R is detected
mitre_attck_discovery: PT-CR-77: User_object_ldap_request: Dump of "user" objects from Active Directory
pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software
hacking_tools: PT-CR-841: SilentHound_AD_Enumeration: Credentials from Active Directory are acquired via enumeration using SilentHound
hacking_tools: PT-CR-2017: SharpHound_LDAP_Requests: Detecting the launch of the SharpHound (BloodHound) tool using one of the methods - ObjectProps, ACL, Trusts, Container.ObjectProps - performs Object Properties collection for properties such as LastLogon or PwdLastSet; ACL - collects abusable permissions on objects in Active Directory; Trusts - collects domain trusts; Container - collects OU tree structure and Group Policy links
hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts.
mitre_attck_discovery: PT-CR-88: SPN_LDAP_requests: Dump of "service" objects from Active Directory
hacking_tools: PT-CR-1790: MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack
hacking_tools: PT-CR-1977: Subrule_SharpHound_LoggedOn: A connection to winreg (2) and wkssvc (1) named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) LoggedOn information collection method
hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth)
hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_to_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method
hacking_tools: PT-CR-2244: SOAPHound_Usage: SOAPHound was used, which is a tool that collects Active Directory data via the Active Directory Web Services (ADWS) protocol
mitre_attck_discovery: PT-CR-1378: PowerView_Recon: Running scripts from the PowerView toolkit used to receive information about domains, domain and local groups, and users is detected
mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host
mitre_attck_cred_access: PT-CR-299: LAPS_Enumeration: Search for users, groups, and computers with access to Microsoft LAPS (Local Administrator Password Solution). LAPS automatically manages the local administrator account password and backs up this password on devices connected to Active Directory services.
active_directory_attacks: PT-CR-827: Active_Directory_Snapshot: Creating a snapshot of the Active Directory structure. This may indicate that intelligence is being conducted in the Active Directory structure. An attacker can use the data obtained to form an attack vector and increase privileges
active_directory_attacks: PT-CR-87: Session_enumeration_smb: Unloading active user sessions on a specific node. This will allow an attacker to obtain information about users logged in locally or through a shared SMB network resource. Using this data will allow an attacker to gain access to the intelligence node
active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on.
clickhouse: PT-CR-1570: ClickHouse_account_discovery: An attempt to retrieve a list of user accounts is detected
clickhouse: PT-CR-1573: ClickHouse_users_privileges_discovery: An attempt to receive information about user privileges is detected
active_directory_attacks: PT-CR-1986: Machine_Account_Quota_Access: A user accessed the MS-DS-Machine-Account-Quota attribute (the number of computer accounts that a user is allowed to create in a domain). Attackers can view this attribute to change it later.
freeipa: PT-CR-2144: FreeIPA_Suspicious_LDAP_Request: LDAP request to a sensitive attribute in the FreeIPA domain
freeipa: PT-CR-2145: Subrule_FreeIPA_LDAP_Query: LDAP request to the FreeIPA domain
freeipa: PT-CR-2146: FreeIPA_Recon_Commands: Commands used for reconnaissance are executed in the FreeIPA domain
freeipa: PT-CR-2167: FreeIPA_Kerbrute_Userenum: Activity of the kerbrute utility in the FreeIPA domain in the userenum mode to discover existing account names
Detection
ID | DS0036 | Data source and component | Group: Group Enumeration | Description | Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to LDAP and MSRPC that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for processes that can be used to enumerate domain accounts and groups, such as |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may attempt to gather information about domain accounts such as type of user, privileges and groups. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor for execution of commands and arguments associated with enumeration or information gathering of domain accounts and groups, such as System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. |
---|
Mitigation
ID | M1028 | Name | Operating System Configuration | Description | Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at |
---|