AN0007: Analytic 0007
Adversary with access to domain management tools (e.g., `realmd`, `samba-tool`, `ldapmodify`) creates a new domain user via command-line utilities. Behavior chain: LDAP command or script triggers → user entry added in AD via Kerberos/LDAP traffic.
Analyst context for executives and security teams
This analytic describes a Linux-based administrative path for creating a new domain user through command-line domain management tools, resulting in a new Active Directory user object over Kerberos/LDAP. For leaders, the business issue is not the tool name; it is whether the organization can distinguish authorized identity administration from unauthorized account creation that could enable persistence, privilege expansion, or audit failure.
Executive priority
Prioritize this as an identity governance and SOC readiness validation item. Security leaders should ask whether new domain-user creation from Linux administrative hosts is expected, approved, logged, and reviewable. This matters for incident decision-making, compliance evidence around account lifecycle controls, and resilience of identity infrastructure. Because ATT&CK provides no detection logic or tactic mapping for this object, teams should treat it as a coverage gap to validate rather than as a ready-made detection.
Technical view
SOC and detection teams should validate visibility for Linux command-line use of domain management utilities such as realmd, samba-tool, and ldapmodify, and correlate that activity with directory-side evidence of a new Active Directory user entry created via Kerberos/LDAP. The key defensive question is whether endpoint process telemetry, authentication records, and directory change logs can be joined to show who ran the command, from which Linux host, using which account, and what user object was created. Since no official detection is provided and no relationships are supplied, local baselining is required to separate legitimate identity administration from suspicious or unauthorized account creation.
Likely telemetry
- Linux endpoint process execution telemetry for domain management utilities and scripts
- Command-line arguments and parent process context where collected
- Linux host identity, user session, and administrative login records
- Kerberos authentication activity associated with the requesting account and host
- LDAP traffic or directory service logs showing user-object creation
Detection direction
- Confirm whether Linux systems that can administer the domain are inventoried and monitored.
- Correlate Linux process execution of domain management tools with directory events showing new user creation.
- Baseline approved administrators, service accounts, management hosts, and automation workflows that legitimately create domain users.
- Tune for unusual source hosts, unexpected administrative principals, off-hours activity, or user creation without a corresponding approval record.
- Account for false positives from sanctioned provisioning automation, identity management jobs, and domain administration performed from Linux.
Mitigation priorities
- Limit which Linux hosts and accounts can perform domain administration.
- Enforce least privilege and strong approval workflows for domain user creation.
- Ensure Active Directory auditing captures user-object creation and relevant actor/source context.
- Collect and retain Linux process and authentication telemetry from authorized domain management systems.
- Review administrative tool usage against change-management or identity lifecycle records.
Analyst notes and limits
This object is a detection analytic, not a technique, and it has no supplied tactic mapping, relationships, or official detection logic. The most useful operational framing is identity control validation: can defenders prove that domain user creation from Linux was authorized, attributable, and visible across endpoint and directory telemetry?
The supplied ATT&CK fields only support Linux as the platform and describe a behavior chain involving command-line domain management tools and Kerberos/LDAP user creation in Active Directory. No active exploitation, adversary attribution, prevalence, impact, detection query, mitigations, or relationship context were provided. Local environment architecture and logging configuration are required to determine actual risk and coverage.
Analytic 0007
Adversary with access to domain management tools (e.g., `realmd`, `samba-tool`, `ldapmodify`) creates a new domain user via command-line utilities. Behavior chain: LDAP command or script triggers → user entry added in AD via Kerberos/LDAP traffic.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4503460a7bd2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.