MITRE ATT&CK Technique
Discovery T1087.002
Description

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)

Supported Platforms
Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-02-21T21:08:26.480Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may attempt to get a listing of domain accounts. '
                'This information can help adversaries determine which domain '
                'accounts exist to aid in follow-on behavior such as targeting '
                'specific accounts which possess particular privileges.\n'
                '\n'
                'Commands such as <code>net user /domain</code> and <code>net '
                'group /domain</code> of the '
                '[Net](https://attack.mitre.org/software/S0039) utility, '
                '<code>dscacheutil -q group</code> on macOS, and '
                '<code>ldapsearch</code> on Linux can list domain users and '
                'groups. '
                '[PowerShell](https://attack.mitre.org/techniques/T1059/001) '
                'cmdlets including <code>Get-ADUser</code> and '
                '<code>Get-ADGroupMember</code> may enumerate members of '
                'Active Directory groups.(Citation: CrowdStrike '
                'StellarParticle January 2022)  ',
 'external_references': [{'external_id': 'T1087.002',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1087/002'},
                         {'description': 'CrowdStrike. (2022, January 27). '
                                         'Early Bird Catches the Wormhole: '
                                         'Observations from the '
                                         'StellarParticle Campaign. Retrieved '
                                         'February 7, 2022.',
                          'source_name': 'CrowdStrike StellarParticle January '
                                         '2022',
                          'url': 'https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/'}],
 'id': 'attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'discovery'}],
 'modified': '2025-10-24T17:48:31.050Z',
 'name': 'Domain Account',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['ExtraHop',
                          'Miriam Wiesner, @miriamxyra, Microsoft Security'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (30)
royal
High
thegentlemen
High
Wizard Spider
High
FIN7
High
Dragonfly
High
View All 30 Actors
Back to TTPs
Dashboard About