Which SIEM platforms have a T1033 detection rule?

df00tech provides T1033 (System Owner/User Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Owner/User Discovery (T1033)?

Detecting System Owner/User Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1033 detection?

The T1033 detection is rated low severity with medium confidence.

What are common false positives for T1033?

Common false positives for T1033 include: IT helpdesk and system administrators routinely running whoami or query user when troubleshooting user sessions on RDS/Terminal Server hosts; Software deployment and configuration management agents (SCCM, Ansible, Chef, Puppet) that enumerate local users as part of compliance checks; Vulnerability scanners and security baselines tools (Nessus, Tenable.io, CIS-CAT) that query user accounts during authenticated scans.

T1033

System Owner/User Discovery

Discovery Last updated: April 16, 2026

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this by retrieving account usernames via built-in OS utilities such as whoami, query user, qwinsta, w, who, and id, or by querying environment variables, WMI, and Active Directory. The information is used during automated discovery to shape follow-on behaviors — determining whether to fully deploy a payload, escalate privileges, or target a specific high-value user account.

What is T1033 System Owner/User Discovery?

System Owner/User Discovery (T1033) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for System Owner/User Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated low severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1033 System Owner/User Discovery
Canonical reference: https://attack.mitre.org/techniques/T1033/

Microsoft Sentinel / Defender

kusto

let UserDiscoveryCommands = dynamic([
  "whoami", "query user", "qwinsta", "quser",
  "wmic useraccount", "wmic /node",
  "net user", "net localgroup",
  "Get-LocalUser", "Get-ADUser",
  "$env:USERNAME", "%USERNAME%", "%USERDOMAIN%"
]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
  "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
  "schtasks.exe", "at.exe", "msbuild.exe", "installutil.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // whoami with enumeration flags is more suspicious than bare whoami
    (FileName =~ "whoami.exe" and ProcessCommandLine has_any ("/all", "/groups", "/priv", "/fo"))
    // query user / qwinsta used outside of RDS admin contexts
    or FileName in~ ("query.exe", "qwinsta.exe", "quser.exe")
    // wmic useraccount enumeration
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("useraccount", "UserAccount"))
    // net user domain enumeration
    or (FileName =~ "net.exe" and ProcessCommandLine has_any ("user /domain", "localgroup administrators", "group /domain"))
    or (FileName =~ "net1.exe" and ProcessCommandLine has_any ("user /domain", "localgroup administrators"))
    // PowerShell user enumeration cmdlets
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-LocalUser", "Get-ADUser", "Get-WmiObject Win32_UserAccount", "[System.Security.Principal.WindowsIdentity]::GetCurrent", "whoami"))
)
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend BareWhoami = (FileName =~ "whoami.exe" and not (ProcessCommandLine has_any ("/all", "/groups", "/priv", "/fo")))
| extend HighPrivContext = AccountName has_any ("SYSTEM", "Administrator") or InitiatingProcessAccountName has_any ("SYSTEM", "Administrator")
| extend RiskScore = toint(SuspiciousParent) + toint(not BareWhoami) + toint(HighPrivContext)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, SuspiciousParent, HighPrivContext, RiskScore
| sort by Timestamp desc

Detects system owner and user discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Captures whoami with enumeration flags (/all, /groups, /priv), query user/qwinsta/quser execution, wmic useraccount queries, net user domain enumeration, and PowerShell user discovery cmdlets. Applies a RiskScore based on suspicious parent process, enriched command-line flags, and high-privilege execution context. Bare 'whoami' without flags is intentionally down-weighted due to high false positive volume.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT helpdesk and system administrators routinely running whoami or query user when troubleshooting user sessions on RDS/Terminal Server hosts
Software deployment and configuration management agents (SCCM, Ansible, Chef, Puppet) that enumerate local users as part of compliance checks
Vulnerability scanners and security baselines tools (Nessus, Tenable.io, CIS-CAT) that query user accounts during authenticated scans
Monitoring and SIEM agents that collect user session data for asset inventory (e.g., Tanium, BigFix, Qualys Cloud Agent)
Developer tooling and CI/CD pipelines that resolve the current user context during build or deployment steps

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (
    (Image="*\\whoami.exe" AND (CommandLine="*/all*" OR CommandLine="*/groups*" OR CommandLine="*/priv*" OR CommandLine="*/fo*"))
    OR (Image="*\\query.exe" OR Image="*\\qwinsta.exe" OR Image="*\\quser.exe")
    OR (Image="*\\wmic.exe" AND (CommandLine="*useraccount*" OR CommandLine="*UserAccount*"))
    OR (Image="*\\net.exe" AND (CommandLine="*user /domain*" OR CommandLine="*localgroup administrators*" OR CommandLine="*group /domain*"))
    OR (Image="*\\net1.exe" AND (CommandLine="*user /domain*" OR CommandLine="*localgroup administrators*"))
    OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*Get-LocalUser*" OR CommandLine="*Get-ADUser*" OR CommandLine="*Win32_UserAccount*" OR CommandLine="*WindowsIdentity*" OR CommandLine="*whoami*"))
  )
| eval SuspiciousParent=if(match(ParentImage, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe|msbuild\.exe|installutil\.exe)$"), 1, 0)
| eval EnrichedFlags=if(match(lower(CommandLine), "(/all|/groups|/priv|/fo|useraccount|get-localuser|get-aduser|windowsidentity)"), 1, 0)
| eval HighPriv=if(match(lower(User), "(system|administrator|admin)"), 1, 0)
| eval RiskScore=SuspiciousParent + EnrichedFlags + HighPriv
| where RiskScore >= 1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SuspiciousParent, EnrichedFlags, HighPriv, RiskScore
| sort - RiskScore, - _time

Detects user discovery commands via Sysmon Event ID 1 (Process Creation). Captures whoami with enumeration flags, query/qwinsta/quser, wmic useraccount, net user domain queries, and PowerShell user enumeration cmdlets. Assigns a cumulative RiskScore based on suspicious parent process origin, enriched command-line flags, and high-privilege execution context. Events with RiskScore >= 1 are surfaced to reduce noise from bare whoami calls.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT helpdesk staff and administrators troubleshooting user sessions on RDS or shared servers
Configuration management agents running user enumeration as part of inventory or compliance baselines
Vulnerability scanners performing authenticated user enumeration during scheduled scans
Monitoring agents collecting user session metadata for asset tracking and inventory platforms
Developer and CI/CD automation resolving current user context during build or test steps

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
    (
      (process.name : "whoami.exe" and process.args : ("/all", "/groups", "/priv", "/fo"))
      or process.name : ("query.exe", "qwinsta.exe", "quser.exe")
      or (process.name : "wmic.exe" and process.command_line : ("*useraccount*", "*UserAccount*"))
      or (process.name : "net.exe" and process.command_line : ("*user /domain*", "*localgroup administrators*", "*group /domain*"))
      or (process.name : "net1.exe" and process.command_line : ("*user /domain*", "*localgroup administrators*"))
      or (process.name : ("powershell.exe", "pwsh.exe") and process.command_line : ("*Get-LocalUser*", "*Get-ADUser*", "*Win32_UserAccount*", "*WindowsIdentity*", "*whoami*"))
    )
  ] by process.parent.entity_id
  [process where event.type == "start" and
    process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe", "msbuild.exe", "installutil.exe")
  ] by process.entity_id

/* Standalone alert for single-event detection without parent correlation */
// process where event.type == "start" and
//   (
//     (process.name : "whoami.exe" and process.args : ("/all", "/groups", "/priv", "/fo"))
//     or process.name : ("query.exe", "qwinsta.exe", "quser.exe")
//     or (process.name : "wmic.exe" and process.command_line : ("*useraccount*", "*UserAccount*"))
//     or (process.name : "net.exe" and process.command_line : ("*user /domain*", "*localgroup administrators*", "*group /domain*"))
//     or (process.name : ("powershell.exe", "pwsh.exe") and process.command_line : ("*Get-LocalUser*", "*Get-ADUser*", "*Win32_UserAccount*", "*WindowsIdentity*", "*whoami*"))
//   ) and
//   process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")

Detects T1033 System Owner/User Discovery by correlating user enumeration commands (whoami /all, query user, qwinsta, wmic useraccount, net user /domain, Get-LocalUser, Get-ADUser) launched from suspicious parent processes. Uses EQL sequence to correlate discovery tool execution with suspicious initiating process context. Risk scoring applied via parent process and privilege context.

medium severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

IT administrators running whoami /all or net user /domain for legitimate identity verification or troubleshooting — especially during onboarding, patch validation, or Active Directory audits
Security tooling and EDR agents that periodically enumerate local users for inventory purposes may trigger on wmic useraccount or Get-LocalUser patterns
Remote Desktop and terminal server administration tools (e.g., Remote Desktop Services management scripts) that use qwinsta and quser for session monitoring in multi-user environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  "Account Domain" AS account_domain,
  "Process Name" AS process_name,
  "Process Command Line" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe|msbuild\.exe|installutil\.exe)$' THEN 1
    ELSE 0
  END AS suspicious_parent,
  CASE
    WHEN LOWER("Process Command Line") IMATCHES '.*((/all|/groups|/priv|/fo)|useraccount|get-localuser|get-aduser|windowsidentity|user /domain|localgroup administrators).*' THEN 1
    ELSE 0
  END AS enriched_flags,
  CASE
    WHEN LOWER(username) IMATCHES '.*(system|administrator|admin).*' THEN 1
    ELSE 0
  END AS high_priv
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 14, 169, 260)
  AND QIDNAME(qid) IN ('Process Create', 'Sysmon - Process Create')
  AND (
    (LOWER("Process Name") IMATCHES '.*\\whoami\.exe$' AND LOWER("Process Command Line") IMATCHES '.*/all.*|.*/groups.*|.*/priv.*|.*/fo.*')
    OR LOWER("Process Name") IMATCHES '.*(\\query\.exe|\\qwinsta\.exe|\\quser\.exe)$'
    OR (LOWER("Process Name") IMATCHES '.*\\wmic\.exe$' AND LOWER("Process Command Line") IMATCHES '.*(useraccount|useraccount).*')
    OR (LOWER("Process Name") IMATCHES '.*\\net\.exe$' AND LOWER("Process Command Line") IMATCHES '.*(user /domain|localgroup administrators|group /domain).*')
    OR (LOWER("Process Name") IMATCHES '.*\\net1\.exe$' AND LOWER("Process Command Line") IMATCHES '.*(user /domain|localgroup administrators).*')
    OR (LOWER("Process Name") IMATCHES '.*(\\powershell\.exe|\\pwsh\.exe)$' AND LOWER("Process Command Line") IMATCHES '.*(get-localuser|get-aduser|win32_useraccount|windowsidentity|whoami).*')
  )
  AND LAST 24 HOURS
ORDER BY
  (suspicious_parent + enriched_flags + high_priv) DESC, starttime DESC

Detects T1033 System Owner/User Discovery in QRadar using AQL against Windows Security event log and Sysmon process creation events. Queries for execution of whoami with enumeration flags, query/qwinsta/quser, wmic useraccount, net user /domain, and PowerShell user discovery cmdlets. Applies risk scoring based on suspicious parent process, enriched command-line flags, and high-privilege user context.

medium severity medium confidence

Data Sources

IBM QRadar with Windows Security Log DSM QRadar with Sysmon DSM (Microsoft Windows Security Event Log) QRadar Universal DSM for Sysmon

Required Tables

events

False Positives

Helpdesk or IT support staff using net user /domain or query user interactively from cmd.exe to troubleshoot user account or RDS session issues
System inventory or SCCM/Intune management agents that use wmic useraccount or PowerShell Get-LocalUser for compliance reporting and asset management
Automated deployment scripts and CI/CD pipelines that verify user context with whoami or environment variable checks before executing privileged operations

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="os/windows")
| where EventID = "1" or EventID = "4688"
| where (
    (toLowerCase(Image) matches "*\\whoami.exe" and (toLowerCase(CommandLine) matches "*/all*" or toLowerCase(CommandLine) matches "*/groups*" or toLowerCase(CommandLine) matches "*/priv*" or toLowerCase(CommandLine) matches "*/fo*"))
    or toLowerCase(Image) matches "*\\query.exe" or toLowerCase(Image) matches "*\\qwinsta.exe" or toLowerCase(Image) matches "*\\quser.exe"
    or (toLowerCase(Image) matches "*\\wmic.exe" and (toLowerCase(CommandLine) matches "*useraccount*"))
    or (toLowerCase(Image) matches "*\\net.exe" and (toLowerCase(CommandLine) matches "*user /domain*" or toLowerCase(CommandLine) matches "*localgroup administrators*" or toLowerCase(CommandLine) matches "*group /domain*"))
    or (toLowerCase(Image) matches "*\\net1.exe" and (toLowerCase(CommandLine) matches "*user /domain*" or toLowerCase(CommandLine) matches "*localgroup administrators*"))
    or ((toLowerCase(Image) matches "*\\powershell.exe" or toLowerCase(Image) matches "*\\pwsh.exe") and (toLowerCase(CommandLine) matches "*get-localuser*" or toLowerCase(CommandLine) matches "*get-aduser*" or toLowerCase(CommandLine) matches "*win32_useraccount*" or toLowerCase(CommandLine) matches "*windowsidentity*" or toLowerCase(CommandLine) matches "*whoami*"))
  )
| if(toLowerCase(ParentImage) matches "*(cmd.exe|powershell.exe|pwsh.exe|wscript.exe|cscript.exe|mshta.exe|rundll32.exe|regsvr32.exe|schtasks.exe|msbuild.exe|installutil.exe)", 1, 0) as suspicious_parent
| if(toLowerCase(CommandLine) matches "*(/all|/groups|/priv|/fo|useraccount|get-localuser|get-aduser|windowsidentity|user /domain|localgroup administrators)*", 1, 0) as enriched_flags
| if(toLowerCase(User) matches "*(system|administrator|admin)*", 1, 0) as high_priv
| suspicious_parent + enriched_flags + high_priv as RiskScore
| where RiskScore >= 1
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, suspicious_parent, enriched_flags, high_priv, RiskScore
| sort by RiskScore desc, _messageTime desc

Detects T1033 System Owner/User Discovery in Sumo Logic by searching Windows Sysmon (Event ID 1) and Security (Event ID 4688) process creation logs for execution of user discovery commands including whoami with enumeration flags, query/qwinsta/quser, wmic useraccount, net user /domain, and PowerShell user enumeration cmdlets. Risk score computed from suspicious parent process, enriched flags, and high-privilege context.

medium severity high confidence

Data Sources

Sumo Logic Windows Source (Sysmon Operational log) Sumo Logic Windows Security Log Source Sumo Logic Installed Collector on Windows endpoints

Required Tables

windows/sysmon windows/security os/windows

False Positives

Windows administration scripts that use whoami /all to verify token privileges before applying group policy or configuring services, particularly during system initialization
Privileged Access Workstation (PAW) monitoring tools that enumerate local administrators via Get-LocalUser or net localgroup administrators for access validation
Threat hunting or red team exercises conducted in production environments where security teams execute discovery commands from PowerShell or cmd.exe to simulate adversary behavior

Google Chronicle / SecOps

yaral

rule T1033_System_Owner_User_Discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1033 System Owner/User Discovery via execution of user enumeration utilities with suspicious parent process or elevated privilege context"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1033"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1033/"
    severity = "MEDIUM"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\whoami\.exe$`) and
        re.regex($e.target.process.command_line, `(?i).*(/all|/groups|/priv|/fo).*`)
      ) or
      re.regex($e.target.process.file.full_path, `(?i).*\\(query|qwinsta|quser)\.exe$`) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i).*(useraccount).*`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\net1?\.exe$`) and
        re.regex($e.target.process.command_line, `(?i).*(user\s+/domain|localgroup\s+administrators|group\s+/domain).*`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i).*(Get-LocalUser|Get-ADUser|Win32_UserAccount|WindowsIdentity|whoami).*`)
      )
    )
    (
      re.regex($e.principal.process.file.full_path, `(?i).*\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|schtasks|msbuild|installutil)\.exe$`) or
      re.regex($e.principal.user.userid, `(?i).*(system|administrator|admin).*`) or
      re.regex($e.target.process.command_line, `(?i).*(/all|/groups|/priv|/fo|useraccount|Get-LocalUser|Get-ADUser|WindowsIdentity|user\s*/domain|localgroup administrators).*`)
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1033 System Owner/User Discovery. Matches PROCESS_LAUNCH UDM events where a user discovery binary (whoami, query, qwinsta, quser, wmic, net, powershell) is executed with suspicious flags or from a suspicious parent process. Correlates principal process (parent) context with target process (child) command line to reduce false positives from bare whoami invocations.

medium severity high confidence

Data Sources

Chronicle UDM with Windows Event Forwarding Chronicle with CrowdStrike Falcon telemetry Chronicle with Carbon Black EDR Chronicle with Microsoft Defender for Endpoint via SIEM connector

Required Tables

UDM events (PROCESS_LAUNCH)

False Positives

Legitimate system health check scripts invoked from cmd.exe or PowerShell that use whoami or Get-LocalUser to validate service account permissions during automated maintenance windows
Enterprise monitoring agents such as Splunk Universal Forwarder, Elastic Agent, or SolarWinds that run periodic user context checks using wmic or PowerShell cmdlets
Developer workstations where build automation tools (MSBuild, InstallUtil) spawn PowerShell to query the current user context for path resolution or permission checks during software compilation

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\whoami\.exe|\\query\.exe|\\qwinsta\.exe|\\quser\.exe|\\wmic\.exe|\\net\.exe|\\net1\.exe|\\powershell\.exe|\\pwsh\.exe)$/
| CommandLine = /(?i)(/all|/groups|/priv|/fo|useraccount|UserAccount|user\s+/domain|localgroup\s+administrators|group\s+/domain|Get-LocalUser|Get-ADUser|Win32_UserAccount|WindowsIdentity|whoami)/
| ParentBaseFileName = /(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe|msbuild\.exe|installutil\.exe)/
  OR UserName = /(?i)(SYSTEM|Administrator)/
| SuspiciousParent := if(ParentBaseFileName = /(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe|msbuild\.exe|installutil\.exe)/, 1, 0)
| EnrichedFlags := if(CommandLine = /(?i)(/all|/groups|/priv|/fo|useraccount|Get-LocalUser|Get-ADUser|WindowsIdentity|user\s*/domain|localgroup administrators)/, 1, 0)
| HighPriv := if(UserName = /(?i)(SYSTEM|Administrator|admin)/, 1, 0)
| RiskScore := SuspiciousParent + EnrichedFlags + HighPriv
| RiskScore >= 1
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName], function=[
    count(as=EventCount),
    max(RiskScore, as=MaxRiskScore),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| sort(MaxRiskScore, order=desc)

Detects T1033 System Owner/User Discovery using CrowdStrike Falcon LogScale (CQL) against ProcessRollup2 events. Matches execution of whoami with enumeration flags, query/qwinsta/quser, wmic useraccount, net user /domain, and PowerShell user enumeration cmdlets. Filters by suspicious parent process or high-privilege user context. Results are aggregated per host and process to surface repeated discovery patterns.

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) CrowdStrike Falcon LogScale with Windows endpoint telemetry

Required Tables

ProcessRollup2

False Positives

IT support personnel using Remote Assistance or remote administration scripts that invoke whoami /all or query user to troubleshoot user session or token issues from PowerShell remoting sessions
Automated provisioning pipelines (e.g., Ansible, Chef, Puppet) that run as SYSTEM or Administrator and check current user context with whoami or environment variable queries before applying configuration
Security operations scripts or SOAR playbooks that enumerate local users via Get-LocalUser or net localgroup administrators as part of automated incident triage or host baseline collection

Sigma rule & cross-platform mapping

The detection logic for System Owner/User Discovery (T1033) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1033 Sigma rules on detection.fyi

Platform-specific guides for T1033

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-16 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Whoami Full Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\whoami.exe, CommandLine='whoami /all', ParentImage=cmd.exe or calling shell. Security Event ID 4688 if command line auditing is enabled. No network events expected.
Test 2Query Active User Sessions
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\query.exe, CommandLine='query user'. Alternatively may appear as quser.exe. Security Event ID 4688 with command line auditing enabled.
Test 3WMI User Account Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\wbem\wmic.exe, CommandLine containing 'useraccount get'. No network events if targeting local system. Security Event ID 4688 with full command line if auditing is enabled.
Test 4Linux Multi-Command User Discovery
Expected signal: Linux auditd: SYSCALL records for execve of /usr/bin/whoami, /usr/bin/id, /usr/bin/w, /usr/bin/who, /usr/bin/last, /bin/cat with respective arguments. Syslog entries if auditd is configured to log to syslog. On systems with Sysmon for Linux: EventType=ProcessCreate for each command.
Test 5PowerShell Active Directory User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_UserAccount'. PowerShell ScriptBlock Logging Event ID 4104 in Microsoft-Windows-PowerShell/Operational log with full script content. No AD network queries for local account enumeration.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1033 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Owner/User Discovery

What is T1033 System Owner/User Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1033

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1033 System Owner/User Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1033

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox