AN0364: Analytic 0364
Domain account enumeration using ldapsearch, samba tools (e.g., 'wbinfo -u'), or winbindd lookups.
Analyst context for executives and security teams
This analytic focuses on a Linux host being used to enumerate domain accounts through LDAP, Samba tooling, or winbind lookups. For security leaders, the practical concern is not the tool name; it is whether a Linux system can query identity infrastructure in a way that exposes account lists and supports follow-on intrusion activity. Even without a supplied tactic or detection logic, this is a useful coverage checkpoint for environments where Linux servers, workstations, or appliances are joined to or integrated with centralized domain identity.
Executive priority
Prioritize this as an identity visibility and incident-readiness question: can the organization see domain account enumeration from Linux systems, determine whether it is authorized administration, and preserve enough evidence for response or audit review? This matters for identity risk management, SOC triage quality, and validating whether Linux estate monitoring is comparable to Windows-focused identity monitoring.
Technical view
The supplied ATT&CK object describes domain account enumeration from Linux using ldapsearch, Samba tools such as wbinfo -u, or winbindd lookups. SOC and detection teams should validate whether Linux process execution, command-line arguments, authentication/LDAP activity, and Samba/winbind-related logs are collected and correlated with identity infrastructure logs. Because no official detection logic, tactic, or relationships are supplied, teams should treat this as a detection engineering requirement rather than a ready-made rule.
Likely telemetry
- Linux process execution telemetry including command names and command-line arguments
- Shell or audit logs showing execution of ldapsearch, wbinfo, or related Samba/winbind utilities
- Samba and winbind service logs where enabled
- LDAP query activity observed by directory or identity infrastructure
- Authentication and account lookup events associated with Linux hosts
Detection direction
- Validate visibility for ldapsearch, Samba tooling, and winbindd-driven account lookup activity on Linux platforms.
- Tune detections around unusual source hosts, unusual users, unexpected query volume, or execution from systems that do not normally administer or integrate with domain identity.
- Separate legitimate administration, directory health checks, and identity-integrated services from suspicious enumeration by baselining approved Linux systems and service accounts.
- Correlate Linux endpoint evidence with directory-side LDAP/authentication telemetry to reduce false positives and confirm whether account enumeration occurred.
- Document blind spots where Linux command-line logging, Samba/winbind logs, or directory query logs are missing or retained for too short a period.
Mitigation priorities
- Establish an approved inventory of Linux hosts and accounts permitted to query domain identity services.
- Limit directory query permissions and service account privileges to business need where feasible.
- Enable and retain relevant Linux process, Samba/winbind, and directory telemetry for investigation and compliance evidence.
- Review administrative procedures so expected domain enumeration from Linux is attributable to named users, managed services, or documented automation.
- Use incident response playbooks to define when unexpected enumeration should trigger account review, host investigation, or identity hardening actions.
Analyst notes and limits
This Glexia take is based on a sparse ATT&CK detection analytic: AN0364 describes domain account enumeration on Linux using ldapsearch, Samba tools, or winbindd lookups. No official detection text, tactic mapping, mitigation mapping, or relationship context was supplied, so recommendations focus on validation, telemetry readiness, and conservative detection engineering direction.
The object does not provide a formal detection query, tactic, related techniques, threat actors, campaigns, or evidence of active exploitation. Local environment context is required to distinguish authorized Linux identity integration and administration from suspicious enumeration.
Analytic 0364
Domain account enumeration using ldapsearch, samba tools (e.g., 'wbinfo -u'), or winbindd lookups.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e49c7884c6ca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0364Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.