T1087.002: T1087.002

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 15/04/2026 12:25

Essential information

MITRE technique ID: T1087.002
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:37
Modified: 15/04/2026 12:25
Author / Source: The MITRE Corporation

Aliases

Domain Account

Platforms

windows macos linux

Description

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. Commands such as `net user /domain` and `net group /domain` of the [Net](https://attack.mitre.org/software/S0039) utility, `dscacheutil -q group` on macOS, and `ldapsearch` on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including `Get-ADUser` and `Get-ADGroupMember` may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)

Kill chain phases

Kill chain	Phase
mitre-attack	discovery

Marking (TLP)

External references

CrowdStrike StellarParticle January 2022
mitre-attack (T1087.002)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (51)

BlackByte uses Hecamede

The MITRE Corporation Confidence 100

[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SHADOW-EARTH-053 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN6 uses Magecart Group 6ITG08

The MITRE Corporation Confidence 100

[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ke3chang uses APT15Mirage

The MITRE Corporation Confidence 100

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lunar Spider uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1132 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Warlock uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA4557/FIN6 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-1811 uses

The MITRE Corporation Confidence 100

[Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to [Black Basta](https://attack.mitre.org/software/S1070) ransomware deployment. [Storm-1811](https://attack.mitre.org/groups/G1046) is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 51

VBCloud uses

Family
Qilin uses

Family
ZingDoor uses

Family
Mallard uses

Family
SNOWLIGHT uses

Family
W32.Stuxnet uses

Family
OSInfo uses

Family The MITRE Corporation Confidence 100

[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)

First seen 01/01/1970 · Last seen 16/11/5138 ·
BackConnect uses

Family
Rhysida uses

Family
More_eggs - S0284 uses

Family
CSharp Streamer uses

Family
PortStarter uses

Family

← Previous

Page / 9

1–12 of 100

Inside the FortiBleed Open Directory: A Technical Analysis … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
Attackers Weaponize Microsoft Teams Relays to Stay Hidden related

AlienVault Confidence 100 3 CVEs 18 MITREs 2 Malwares 26 IOCs 26 Observables 1 APT
Interlock and Rhysida within the Ransomware Ecosystem related

2 CVEs 22 MITREs 24 Malwares 102 Observables 1 APT
Akira, LimeWire, and the Sour Taste of Data … related

AlienVault Confidence 100 1 CVE 18 MITREs 1 Malware 1 IOC 1 Observable 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Cloud Atlas activity in the second half of … related

3 CVEs 20 MITREs 8 Malwares 17 Observables 1 APT
ClickFix Evolves with PySoxy Proxying related

20 MITREs 1 Malware 2 Observables
Iran-Linked Hackers Breached Korean Electronics Maker in Global … related

AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day … related

12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit … related

AlienVault Confidence 100 22 MITREs 2 Malwares 29 IOCs 29 Observables
UAT-8302 and its box full of malware related

3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT

← Previous

Page / 3

1–12 of 26

Vulnerabilities (CVE) (44)

CVE-2025-0921 targets

6.5 Medium

Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 …

Attack vector: Local
Complexity: LOW
Published: 16/05/2025
Modified: 17/04/2026

CWE-250

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2025-14847 KEV targets

8.7 High

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue …

Attack vector: NETWORK
Published: 19/12/2025
Modified: 26/01/2026

Awaiting Analysis

CVE-2026-1281 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Published: 29/01/2026
Modified: 27/03/2026

Analyzed

CVE-2025-32433 KEV targets

10.0 Critical

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may …

Attack vector: Network
Published: 09/06/2025
Modified: 27/05/2026

Received

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2025-0994 KEV targets

8.8 High

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This …

Attack vector: Network
Published: 07/02/2025
Modified: 21/12/2025

Analyzed

CVE-2026-20131 KEV targets

10.0 Critical

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector: NETWORK
Complexity: Low
Published: 04/03/2026
Modified: 14/04/2026

CWE-502 Awaiting Analysis

CVE-2022-0847 KEV targets

Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. This vulnerability has …

Published: 25/04/2022
Modified: 20/12/2025

CVE-2025-61955 targets

8.5 High

A vulnerability exists in F5OS-A and F5OS-C systems that may allow an authenticated attacker with local access to escalate their privileges. A …

Attack vector: LOCAL
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2026-1340 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 29/01/2026
Modified: 10/04/2026

CWE-94 Received

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 4

1–12 of 44

T1087 subtechnique-of

Account Discovery MITRE

Tool (9)

PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
dsquery uses

The MITRE Corporation Confidence 100

[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed…
Net uses

The MITRE Corporation Confidence 100

The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
BloodHound uses

The MITRE Corporation Confidence 100

[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
AdFind uses

The MITRE Corporation Confidence 100

[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…
SILENTTRINITY uses

The MITRE Corporation Confidence 100

[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…
Brute Ratel C4 uses

The MITRE Corporation Confidence 100

[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…
CrackMapExec uses

The MITRE Corporation Confidence 100

[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted…
Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Course Of Action (1)

Operating System Configuration mitigates

Campaign (3)

Operation Dream Job uses
Operation Wocao uses
SolarWinds Compromise uses

Contact About Legal notice Privacy policy Terms of use