title: Domain Account (T1087.002)
id: df00tech-t1087-002
status: experimental
description: "Adversaries may attempt to get a listing of domain accounts to aid in follow-on behavior such as targeting accounts with specific privileges. Commands such as net user /domain and net group /domain, PowerShell cmdlets like Get-ADUser and Get-ADGroupMember, LDAP queries via ldapsearch or BoomBox-style programmatic enumeration, and tools like AdFind and CrackMapExec are commonly used. This information helps adversaries identify high-value targets such as domain administrators, service accounts, and privileged users."
references:
  - https://attack.mitre.org/techniques/T1087/002/
  - https://df00tech.com/detections/T1087.002
author: df00tech
date: 2026/04/18
tags:
  - attack.t1087.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators legitimately running net user /domain or net group /domain commands during troubleshooting or account management tasks
  - Helpdesk staff using Get-ADUser or Get-ADGroupMember in PowerShell for user management operations
  - "Monitoring and identity governance tools (e.g., SailPoint, Varonis, CyberArk) that periodically enumerate AD accounts as part of access reviews"
  - HR or provisioning automation scripts that enumerate domain groups when onboarding or offboarding users
  - Domain controller health check scripts or scheduled tasks that enumerate accounts as part of routine auditing
level: medium