Domain Account (T1087.002)

Information

• Name: Domain Account

• ID: T1087.002

• Tactics:

• Technique:

Introduction

Domain Account () is a sub-technique within the MITRE ATT&CK framework under the parent technique "Account Discovery" (). It refers to adversaries attempting to enumerate domain accounts within an Active Directory (AD) environment. Attackers typically perform this enumeration to identify valid user and administrator accounts, group memberships, and privileges within the domain. Gathering this information allows attackers to better understand the target organization's structure, identify high-value targets, and plan subsequent lateral movement or privilege escalation activities.

Deep Dive Into Technique

Domain account enumeration involves adversaries leveraging built-in tools, scripts, or custom utilities to query Active Directory services for account information. Attackers typically attempt to identify the following:

• Domain users and administrators

• Account privileges and permissions

• Group memberships and roles

• Account status (active, disabled, locked, etc.)

• Password policies and expiration details

Common built-in tools and commands used by attackers include:

• net user /domain: Lists domain user accounts and groups.

• net group /domain: Lists domain groups and their members.

• net localgroup administrators /domain: Lists domain administrators.

• PowerShell cmdlets such as:

  • Get-ADUser (Active Directory module)

  • Get-ADGroupMember

  • Get-ADDomain

• LDAP queries via tools like:

  • ldapsearch

  • ADExplorer (Sysinternals)

  • BloodHound (graph-based AD enumeration tool)

  • PowerView (PowerShell-based enumeration script)

Attackers often use these methods after gaining initial access to a domain-joined system. Enumerating domain accounts helps build a comprehensive map of the organization's Active Directory structure, allowing attackers to identify privileged accounts or groups, facilitating lateral movement, privilege escalation, credential theft, and persistence.

When this Technique is Usually Used

Attackers typically utilize domain account enumeration during multiple stages of an attack lifecycle, including:

• Initial Reconnaissance and Discovery:

  • Identifying valid domain accounts and groups early in the attack.

• Post-Exploitation and Privilege Escalation:

  • Finding privileged domain accounts or groups to escalate privileges.

• Lateral Movement:

  • Identifying additional targets within the domain to move laterally.

• Persistence and Credential Access:

  • Discovering accounts suitable for long-term persistence or credential theft.

• Pre-Attack Reconnaissance (Internal):

  • Internal attackers or insiders enumerating accounts to plan malicious activities.

Scenarios where this technique is frequently observed include:

• Internal penetration testing and red-team exercises.

• Advanced Persistent Threat (APT) campaigns.

• Ransomware attacks targeting Active Directory environments.

• Insider threats seeking sensitive account information.

How this Technique is Usually Detected

Detection of domain account enumeration typically relies on monitoring activities within Active Directory environments and analyzing logs for suspicious account enumeration activities. Common detection methods include:

• Event Log Monitoring:

  • Windows Security event logs (Event IDs 4661, 4662, 5136) for excessive or unusual LDAP queries.

  • Audit logs for excessive use of domain enumeration commands (net user, net group, etc.).

• Network Traffic Monitoring:

  • Monitoring LDAP traffic for unusual queries or large-scale enumeration attempts.

  • Detecting anomalous SMB or RPC traffic patterns indicative of enumeration.

• Endpoint Detection and Response (EDR):

  • Monitoring suspicious execution of built-in Windows tools (net.exe, PowerShell scripts).

  • Detecting execution of enumeration scripts (e.g., PowerView).

• Behavioral Analytics and SIEM Correlation:

  • Identifying anomalies in user account queries or sudden spikes in enumeration activities.

  • Correlating enumeration events with other suspicious activities (failed logins, lateral movement attempts).

Indicators of Compromise (IoCs) and suspicious activities include:

• High volume of LDAP queries from unusual hosts or accounts.

• Execution of enumeration commands (net user/domain, net group/domain) from unauthorized hosts.

• Suspicious PowerShell script execution (e.g., PowerView scripts).

• Abnormal querying of domain controllers outside regular administrative activities.

Why it is Important to Detect This Technique

Early detection of domain account enumeration is critical due to the potential impacts and consequences it can have on organizational security. Importance includes:

• Preventing Privilege Escalation and Lateral Movement:

  • Detecting enumeration early can prevent attackers from identifying privileged accounts, limiting their ability to escalate privileges or move laterally.

• Reducing Attack Surface:

  • Early detection allows organizations to respond promptly, limiting the scope and impact of potential breaches.

• Protecting Sensitive Information:

  • Domain account enumeration can expose sensitive account details, enabling attackers to plan targeted attacks against critical assets and data.

• Minimizing Risk of Persistence:

  • Early awareness of enumeration attempts can help organizations identify and remediate compromised accounts before attackers establish persistence.

• Supporting Incident Response and Threat Hunting:

  • Detection provides valuable context to incident response teams, enabling faster investigation, containment, and remediation efforts.

Failure to detect domain account enumeration can lead to:

• Compromise of privileged domain accounts (Domain Admins, Enterprise Admins).

• Unauthorized access to critical systems and sensitive data.

• Increased risk of advanced persistent threats (APT) and ransomware attacks.

• Persistent footholds established by attackers, complicating remediation efforts.

Examples

Real-world examples and attack scenarios involving domain account enumeration include:

• APT29 (Cozy Bear):

  • Utilized PowerShell scripts (e.g., PowerView) to enumerate domain accounts, identify privileged accounts, and facilitate lateral movement within targeted networks.

  • Leveraged enumeration results to escalate privileges and maintain persistent access to compromised environments.

• Ryuk Ransomware Attacks:

  • Attackers used built-in Windows tools (net user /domain, net group /domain) to enumerate domain accounts and privileges.

  • Identified domain administrators and high-value targets to propagate ransomware rapidly across entire networks.

• Red-Team Engagements (Penetration Testing):

  • Commonly use BloodHound and PowerView scripts to enumerate domain accounts, group memberships, and permissions.

  • Identify misconfigured or over-privileged accounts to demonstrate potential impact of domain enumeration during security assessments.

• FIN6 Financially Motivated Threat Actor:

  • Conducted domain account enumeration to identify domain administrators and privileged accounts.

  • Leveraged discovered accounts to escalate privileges, access sensitive financial data, and exfiltrate payment card information.

Tools commonly used in real-world attacks involving domain account enumeration include:

• BloodHound:

  • Graph-based Active Directory enumeration tool used to visualize domain relationships, privileges, and attack paths.

• PowerView (part of PowerSploit):

  • PowerShell-based enumeration script capable of identifying domain users, groups, and permissions.

• ADExplorer (Sysinternals):

  • GUI-based LDAP query tool used by attackers to enumerate domain accounts and attributes.

• Impacket Suite:

  • Python-based toolkit providing utilities (GetADUsers.py, GetUserSPNs.py) to enumerate domain accounts, users, and service principal names.

These examples illustrate the widespread use of domain account enumeration by attackers across various threat groups, attack scenarios, and industry sectors.