DET0129: Domain Account Enumeration Across Platforms
Domain account enumeration is an early warning behavior: it indicates someone or something is trying to learn which domain users or groups exist before cho...
Analyst context for executives and security teams
Domain account enumeration is an early warning behavior: it indicates someone or something is trying to learn which domain users or groups exist before choosing targets for follow-on activity. Even though this detection strategy object has no official detection text, its relationship to ATT&CK technique T1087.002 makes it relevant to identity security, SOC triage, and incident response because domain account lists can support privilege targeting and lateral movement planning.
Executive priority
Treat coverage for domain account enumeration as an identity-risk validation item, not just a low-level alert. Leaders should ask whether SOC and IR teams can prove visibility into domain account and group discovery across Windows, macOS, and Linux environments where domain services are used. This matters for operational resilience and audit readiness because weak visibility into account discovery can delay recognition of early-stage intrusion activity and weaken evidence during an investigation.
Technical view
DET0129 is a detection strategy for T1087.002 Domain Account under the Discovery tactic. The related ATT&CK technique describes enumeration of domain users and groups using examples such as Net utility domain queries, macOS group queries, and LDAP-based searches on Linux. Detection teams should validate whether identity, endpoint, and directory telemetry can distinguish routine administration from unusual domain account or group listing activity, especially when performed by unexpected users, hosts, scripts, or service accounts.
Likely telemetry
- Directory service and LDAP query logs where available
- Endpoint process execution telemetry for account and group discovery commands
- Command-line arguments associated with domain user or group listing
- Authentication and account context for the user or service account performing enumeration
- Host context, including source system, operating system, and administrative role
Detection direction
- Map current detections to T1087.002 and confirm they cover domain account and group enumeration, not only local account discovery.
- Validate visibility across the related platforms identified for the technique: Linux, macOS, and Windows.
- Tune detections around context: source host, initiating account, frequency, volume, and whether the actor normally performs administrative directory queries.
- Account for false positives from help desk, identity administration, inventory tools, scripts, and legitimate directory management workflows.
- Look for relationship-driven context: enumeration may be more material when followed by authentication attempts, privilege discovery, or access to sensitive systems.
Mitigation priorities
- Prioritize least-privilege review for accounts able to query broad domain information, while recognizing that some directory visibility may be normal by design.
- Ensure administrative and service account usage is governed, attributable, and monitored.
- Harden and monitor directory services and identity infrastructure used for account and group lookups.
- Centralize endpoint and identity telemetry needed for incident reconstruction.
- Use detection validation exercises to confirm SOC runbooks can triage benign administration versus suspicious enumeration.
Analyst notes and limits
This take is based on the DET0129 detection strategy object and its relationship to ATT&CK technique T1087.002 Domain Account. The detection strategy itself does not include an official description, detection logic, platforms, or tactics, so practical guidance is derived conservatively from the related technique metadata and description.
No official detection text, data sources, analytics, mitigations, or platform list are provided directly on the DET0129 object. The related technique supports Discovery context and Linux, macOS, and Windows applicability, but local architecture, directory design, logging configuration, and administrative workflows are required to determine actual detection coverage and priority.
Domain Account Enumeration Across Platforms
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1087.002 | Domain Account Sub-technique | This object detects Domain Account. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7b28572d37f6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0129Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.