T1033 Microsoft Sentinel · KQL

Detect System Owner/User Discovery in Microsoft Sentinel

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this by retrieving account usernames via built-in OS utilities such as whoami, query user, qwinsta, w, who, and id, or by querying environment variables, WMI, and Active Directory. The information is used during automated discovery to shape follow-on behaviors — determining whether to fully deploy a payload, escalate privileges, or target a specific high-value user account.

MITRE ATT&CK

Tactic
Discovery
Technique
T1033 System Owner/User Discovery
Canonical reference
https://attack.mitre.org/techniques/T1033/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let UserDiscoveryCommands = dynamic([
  "whoami", "query user", "qwinsta", "quser",
  "wmic useraccount", "wmic /node",
  "net user", "net localgroup",
  "Get-LocalUser", "Get-ADUser",
  "$env:USERNAME", "%USERNAME%", "%USERDOMAIN%"
]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
  "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
  "schtasks.exe", "at.exe", "msbuild.exe", "installutil.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // whoami with enumeration flags is more suspicious than bare whoami
    (FileName =~ "whoami.exe" and ProcessCommandLine has_any ("/all", "/groups", "/priv", "/fo"))
    // query user / qwinsta used outside of RDS admin contexts
    or FileName in~ ("query.exe", "qwinsta.exe", "quser.exe")
    // wmic useraccount enumeration
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("useraccount", "UserAccount"))
    // net user domain enumeration
    or (FileName =~ "net.exe" and ProcessCommandLine has_any ("user /domain", "localgroup administrators", "group /domain"))
    or (FileName =~ "net1.exe" and ProcessCommandLine has_any ("user /domain", "localgroup administrators"))
    // PowerShell user enumeration cmdlets
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-LocalUser", "Get-ADUser", "Get-WmiObject Win32_UserAccount", "[System.Security.Principal.WindowsIdentity]::GetCurrent", "whoami"))
)
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend BareWhoami = (FileName =~ "whoami.exe" and not (ProcessCommandLine has_any ("/all", "/groups", "/priv", "/fo")))
| extend HighPrivContext = AccountName has_any ("SYSTEM", "Administrator") or InitiatingProcessAccountName has_any ("SYSTEM", "Administrator")
| extend RiskScore = toint(SuspiciousParent) + toint(not BareWhoami) + toint(HighPrivContext)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, SuspiciousParent, HighPrivContext, RiskScore
| sort by Timestamp desc
low severity medium confidence

Detects system owner and user discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Captures whoami with enumeration flags (/all, /groups, /priv), query user/qwinsta/quser execution, wmic useraccount queries, net user domain enumeration, and PowerShell user discovery cmdlets. Applies a RiskScore based on suspicious parent process, enriched command-line flags, and high-privilege execution context. Bare 'whoami' without flags is intentionally down-weighted due to high false positive volume.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • IT helpdesk and system administrators routinely running whoami or query user when troubleshooting user sessions on RDS/Terminal Server hosts
  • Software deployment and configuration management agents (SCCM, Ansible, Chef, Puppet) that enumerate local users as part of compliance checks
  • Vulnerability scanners and security baselines tools (Nessus, Tenable.io, CIS-CAT) that query user accounts during authenticated scans
  • Monitoring and SIEM agents that collect user session data for asset inventory (e.g., Tanium, BigFix, Qualys Cloud Agent)
  • Developer tooling and CI/CD pipelines that resolve the current user context during build or deployment steps
Download portable Sigma rule (.yml)

Other platforms for T1033

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Whoami Full Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\whoami.exe, CommandLine='whoami /all', ParentImage=cmd.exe or calling shell. Security Event ID 4688 if command line auditing is enabled. No network events expected.

  2. Test 2Query Active User Sessions

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\query.exe, CommandLine='query user'. Alternatively may appear as quser.exe. Security Event ID 4688 with command line auditing enabled.

  3. Test 3WMI User Account Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\wbem\wmic.exe, CommandLine containing 'useraccount get'. No network events if targeting local system. Security Event ID 4688 with full command line if auditing is enabled.

  4. Test 4Linux Multi-Command User Discovery

    Expected signal: Linux auditd: SYSCALL records for execve of /usr/bin/whoami, /usr/bin/id, /usr/bin/w, /usr/bin/who, /usr/bin/last, /bin/cat with respective arguments. Syslog entries if auditd is configured to log to syslog. On systems with Sysmon for Linux: EventType=ProcessCreate for each command.

  5. Test 5PowerShell Active Directory User Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_UserAccount'. PowerShell ScriptBlock Logging Event ID 4104 in Microsoft-Windows-PowerShell/Operational log with full script content. No AD network queries for local account enumeration.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1033 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1082System Information DiscoveryT1087.001Local AccountT1087.002Domain AccountT1069.001Local GroupsT1069.002Domain GroupsT1016System Network Configuration DiscoveryT1057Process DiscoveryT1049System Network Connections DiscoveryT1007System Service DiscoveryT1003OS Credential Dumping

Same Tactic: Discovery

Popular Detections