Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) | Attack Pattern | Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) | Attack Pattern | 1 |