AN0363: Analytic 0363
Adversary enumeration of domain accounts using net.exe, PowerShell, WMI, or LDAP queries from non-domain controllers or non-admin endpoints.
Analyst context for executives and security teams
This analytic focuses on suspicious enumeration of domain accounts from Windows systems that are not domain controllers or expected administrative endpoints. For leaders, the decision value is whether the organization can quickly distinguish routine administration from account-discovery activity that may precede credential attacks, privilege escalation, or broader intrusion activity.
Executive priority
Prioritize this as an identity and SOC readiness check: can the business prove it monitors domain account discovery from ordinary Windows endpoints, and can responders determine whether the activity is legitimate administration or an early intrusion signal? The absence of supplied MITRE detection logic means teams should treat this as a coverage-validation requirement rather than an out-of-the-box detection.
Technical view
Validate visibility for account enumeration performed with net.exe, PowerShell, WMI, or LDAP queries on Windows, especially when initiated from non-domain controllers or non-admin endpoints. SOC and detection engineering teams should baseline where such activity is expected, define which hosts and users are authorized for domain administration, and tune alerting around deviations from those expectations. Because no tactics, relationships, or official detection logic are supplied, local asset role data and identity context are required to make this analytic actionable.
Likely telemetry
- Windows process creation events for net.exe, PowerShell, and WMI-related execution
- Command-line arguments where collected and permitted
- PowerShell logging where enabled
- WMI activity logs or endpoint telemetry
- LDAP query or directory service access telemetry where available
Detection direction
- Confirm telemetry coverage on Windows endpoints, not only on domain controllers.
- Build or validate logic that identifies domain account enumeration using net.exe, PowerShell, WMI, or LDAP from systems that are not domain controllers or approved admin endpoints.
- Use asset role and user privilege context to reduce false positives from help desk, identity operations, IT automation, and security tooling.
- Review blind spots where command-line logging, PowerShell logging, WMI telemetry, or LDAP visibility is absent or inconsistently retained.
- Treat matches as triage leads requiring context, since the supplied ATT&CK object does not provide official detection logic or adversary relationships.
Mitigation priorities
- Maintain an authoritative inventory of domain controllers, approved admin endpoints, and administrative users.
- Limit domain administration activity to managed and monitored systems where operationally feasible.
- Enable and retain relevant Windows endpoint, PowerShell, WMI, and directory telemetry needed to investigate enumeration activity.
- Review least-privilege and administrative access practices so routine users and endpoints do not have unnecessary directory visibility or admin tooling exposure.
- Document detection coverage and exceptions as compliance and incident-response evidence.
Analyst notes and limits
This object is a MITRE ATT&CK detection analytic for Windows domain account enumeration using net.exe, PowerShell, WMI, or LDAP from non-domain controllers or non-admin endpoints. No relationship context, tactics, aliases, labels, or official detection logic were supplied, so the practical value is in using it as a validation prompt for identity monitoring, endpoint visibility, and SOC triage workflows.
Assessment is limited to the supplied STIX fields and external reference. No active exploitation, attribution, impact, specific technique relationship, or guaranteed detection coverage can be inferred. Local environment baselines are required to separate legitimate administration from suspicious enumeration.
Analytic 0363
Adversary enumeration of domain accounts using net.exe, PowerShell, WMI, or LDAP queries from non-domain controllers or non-admin endpoints.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8286dd25aa82… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0363Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.