S0105: dsquery
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [1] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
Analyst context for executives and security teams
dsquery is a legitimate Microsoft command-line utility for querying Active Directory. Its business significance is that the same tool administrators use for directory lookups can help an intruder understand domain accounts, groups, system details, and trust relationships before choosing lateral movement or privilege targets.
Executive priority
Treat dsquery visibility as an Active Directory readiness question, not just a malware question. Leaders should ask whether the organization can distinguish normal directory administration from suspicious discovery, especially on Windows servers and non-server systems where Remote Server Administration Tools may be installed. ATT&CK relationship context links dsquery use to multiple campaigns and groups, so coverage supports incident scoping, identity risk decisions, and audit evidence around directory monitoring.
Technical view
For SOC, detection engineering, and IR teams, validate Windows process execution visibility for dsquery and its command-line arguments, parent process, user, host role, and timing. The ATT&CK relationships map this tool to discovery behaviors including Domain Groups, Domain Account, Domain Trust Discovery, and System Information Discovery. Because MITRE provides no official detection text for this object, local baselining is important: separate expected administrator/server usage from execution on unusual workstations, unexpected service accounts, or during incident timelines.
Likely telemetry
- Windows endpoint process creation events for dsquery execution
- Command-line arguments and working directory where available
- User, logon context, host role, and source system details
- Parent and child process context
- Active Directory or directory service query/audit logs if collected
Detection direction
- Confirm that dsquery command execution is collected with full command-line detail on relevant Windows systems.
- Baseline legitimate administrative usage by domain administrators, server administrators, and management hosts.
- Prioritize review of dsquery use on non-server Windows systems, newly observed hosts, unexpected users, or systems involved in an investigation.
- Correlate dsquery activity with related discovery patterns for domain accounts, domain groups, system information, and domain trusts.
- Account for false positives from legitimate administration, scripts, inventory tasks, and troubleshooting because dsquery is a Microsoft utility.
Mitigation priorities
- Inventory where dsquery is available, including Windows Server systems and non-server systems with RSAT installed.
- Limit installation and use of administrative tooling to approved administrative hosts and roles where feasible.
- Apply least-privilege and administrative access governance so directory discovery from compromised low-value accounts has less operational value.
- Maintain monitoring and retention sufficient to reconstruct directory discovery during incident response.
- Use findings to improve AD administration procedures, SOC playbooks, and compliance evidence for identity and directory monitoring.
Analyst notes and limits
The strongest defensive value is not blocking dsquery by default, but knowing when its use is expected and when it indicates domain reconnaissance. Relationship context shows reported use by Operation CuckooBees, Operation Wocao, C0017, FIN8, and APT41, and technique relationships are discovery-focused.
MITRE does not provide official detection guidance for this object, and the software object has no explicit tactic listed. Any detection logic must be validated against the local Windows, Active Directory, RSAT, and administrative operating model. Relationship descriptions do not prove current activity or exposure in any specific environment.
dsquery
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [1] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1087.002 | Domain Account Sub-technique | dsquery can be used to gather information on user accounts within a domain.CitationTechNet DsqueryCitationMandiant APT41 |
| Enterprise | T1482 | Domain Trust Discovery | dsquery can be used to gather information on domain trusts with |
| Enterprise | T1069.002 | Domain Groups Sub-technique | dsquery can be used to gather information on permission groups within a domain.CitationTechNet DsqueryCitationMandiant APT41 |
| Enterprise | T1082 | System Information Discovery | dsquery has the ability to enumerate various information, such as the operating system and host name, for systems within a domain.CitationMandiant APT41 |
Groups, software, and campaigns
G0061: FIN8
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
C0012: Operation CuckooBees
Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[1]
C0017: C0017
C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[1]
C0014: Operation Wocao
Operation Wocao was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.[1]
Security researchers assessed the Operation Wocao actors used similar TTPs and tools as APT20, suggesting a possible overlap. Operation Wocao was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | ed61b053f9aa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TechNet Dsquery
Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
Open source URL -
[2]
mitre-attack S0105Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.