# T1087.002 Domain Account

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).


-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Command:** Command Execution

  * **Process:** Process Creation

  * **Process:** OS API Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used the Softerra LDAP browser to browse documentation on service accounts.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used the <code>net</code> command to retrieve information about domain accounts.(Citation: FoxIT Wocao December 2019)	 | 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has has used <code>net user /dom</code> and <code>net user Administrator</code> to enumerate domain accounts including administrator accounts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has identified domain admins through the use of “net group ‘Domain admins’” commands.(Citation: DFIR Ryuk's Return October 2020)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used <code>cmd.exe net user /domain</code> to enumerate domain users.(Citation: Trend Micro Muddy Water March 2021)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used <code>net user /domain</code> to identify account information.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has run <code>net user</code>, <code>net user /domain</code>, <code>net group “domain admins” /domain</code>, and <code>net group “Exchange Trusted Subsystem” /domain</code> to get account listings on a victim.(Citation: Palo Alto OilRig May 2016)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used the Microsoft administration tool csvde.exe to export Active Directory data.(Citation: PWC Cloud Hopper Technical Annex April 2017)| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used Metasploit’s [PsExec](https://attack.mitre.org/software/S0029) NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used batch scripts to enumerate users on a victim domain controller.(Citation: US-CERT TA18-074A)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.(Citation: ESET Telebots Dec 2016)	| 
| Poseidon Group | [Poseidon Group](https://attack.mitre.org/groups/G0033) searches for administrator accounts on both the local victim machine and the network.(Citation: Kaspersky Poseidon Group)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has queried an active directory server to obtain the list of accounts, including administrator accounts.(Citation: ESET Lazarus Jun 2020)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used PowerShell to discover domain accounts by executing <code>Get-ADUser</code> and <code>Get-DGroupMember</code>.(Citation: CrowdStrike StellarParticle January 2022)(Citation: Secureworks IRON RITUAL Profile)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>net user /domain</code> to enumerate domain accounts.(Citation: ESET ComRAT May 2020)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs account discovery using commands such as <code>net localgroup administrators</code> and <code>net group "REDACTED" /domain</code> on specific permissions groups.(Citation: Mandiant Operation Ke3chang November 2014)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1087/002)

  * [Capec](https://capec.mitre.org/data/definitions/575.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Turla will use net user /domain to enumerate domain accounts.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * [Other references: All custom links should go here](example.lan)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather account information. 

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event_id:1 AND command_line:"net user*"```
  * **Query:** `event_id:1 AND command_line:"net group*"`

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

