T1087.002 — Domain Account

Technique

T1087.002

Tactics

Discovery

MISP citations

0

KEV CVEs mapped

5

Community rules

21

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1087/002

MITRE description

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2023-3519
• CVE-2023-32315
• CVE-2021-44077
• CVE-2021-40539
• CVE-2020-1472

Detection coverage

SigmaHQ community rules

• Net.EXE Execution (threat-hunting)
• Potential Active Directory Reconnaissance/Enumeration Via LDAP (core)
• AD Privileged Users or Groups Reconnaissance (core)
• Potential AD User Enumeration From Non-Machine Account (core)
• Reconnaissance Activity (core)
• BloodHound Collection Files (core)
• ADExplorer Writing Complete AD Snapshot Into .dat File (core)
• Malicious PowerShell Commandlets - PoshModule (core)
• Active Directory Computers Enumeration With Get-AdComputer (core)
• Malicious PowerShell Commandlets - ScriptBlock (core)
• Active Directory Structure Export Via Csvde.EXE (core)
• HackTool - Bloodhound/Sharphound Execution (core)
• Suspicious Group And Account Reconnaissance Activity Using Net.EXE (core)
• Malicious PowerShell Commandlets - ProcessCreation (core)
• PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE (core)
• PUA - AdFind.EXE Execution (core)
• PUA - AdFind Suspicious Execution (core)
• Renamed AdFind Execution (core)
• Active Directory Database Snapshot Via ADExplorer (core)
• Suspicious Active Directory Database Snapshot Via ADExplorer (core)
• Suspicious Use of PsLogList (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.