root / Notes / Red team / 09 discovery / Account discovery.md

Account Discovery

Last Updated: January 5, 2026
discoveryaccountsad-reconbloodhound

Account Discovery (T1087)

Who is here? Who is Admin?

1. Local Accounts

  • Command: net user
  • Admins: net localgroup Administrators
  • PowerShell: Get-LocalUser

2. Domain Accounts

  • Domain Admins: net group "Domain Admins" /domain
  • PowerShell: Get-ADUser -Filter * -Properties * (Loud).

3. BloodHound (Graph Theory)

The ultimate discovery tool.

  • SharpHound: Collector ingestor runs on the endpoint. Queries DC for sessions, groups, ACLs.
  • Visualization: Shows "shortest path to Domain Admin".
    • Example: User A -> Can Reset Password of User B -> Is Admin on Machine C -> Has Session of Domain Admin.