Which SIEM platforms have a T1087 detection rule?

df00tech provides T1087 (Account Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Account Discovery (T1087)?

Detecting Account Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1087 detection?

The T1087 detection is rated medium severity with medium confidence.

What are common false positives for T1087?

Common false positives for T1087 include: IT administrators running net user or Get-ADUser as part of routine account auditing and helpdesk workflows; Endpoint management agents (SCCM, Intune, Tanium) that enumerate local accounts during inventory collection; Security scanning tools (Nessus, Qualys, CrowdStrike Spotlight) performing authenticated enumeration for vulnerability assessment.

T1087

Account Discovery

Discovery Last updated: April 17, 2026

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers. Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment. On Windows, common discovery methods include net user, net localgroup, wmic useraccount list, Get-LocalUser, and Get-ADUser. On Linux and macOS, adversaries may read /etc/passwd, use getent, id, last, and who commands. In cloud environments, CLIs such as aws iam list-users, az ad user list, and gcloud iam service-accounts list are commonly abused. Observed threat actors leveraging this technique include Aquatic Panda, Scattered Spider, FIN13, and malware families such as Woody RAT, Havoc, TONESHELL, and ShimRatReporter.

What is T1087 Account Discovery?

Account Discovery (T1087) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Account Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1087 Account Discovery
Canonical reference: https://attack.mitre.org/techniques/T1087/

Microsoft Sentinel / Defender

kusto

let AccountDiscoveryProcesses = dynamic([
  "net.exe", "net1.exe", "wmic.exe", "dsquery.exe", "nltest.exe", "whoami.exe"
]);
let AccountDiscoveryCmdPatterns = dynamic([
  "net user", "net localgroup", "net group",
  "wmic useraccount", "wmic group",
  "dsquery user", "dsquery group",
  "Get-LocalUser", "Get-LocalGroup", "Get-ADUser", "Get-ADGroupMember",
  "nltest /dclist", "nltest /domain_trusts",
  "whoami /groups", "whoami /all",
  "query user", "quser"
]);
let PSAccountDiscovery = dynamic([
  "Get-LocalUser", "Get-LocalGroup", "Get-ADUser",
  "Get-ADGroupMember", "Get-ADObject", "Get-ADPrincipalGroupMembership",
  "[adsi]", "DirectorySearcher", "DirectoryEntry"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ (AccountDiscoveryProcesses) and ProcessCommandLine has_any (AccountDiscoveryCmdPatterns))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PSAccountDiscovery))
    or (ProcessCommandLine has "whoami" and ProcessCommandLine has_any ("/groups", "/all", "/priv"))
  )
| extend IsEncodedPS = (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("-enc", "-EncodedCommand"))
| extend NetUserDomain = (ProcessCommandLine has "net user" and ProcessCommandLine has "/domain")
| extend LocalGroupEnum = (ProcessCommandLine has_any ("net localgroup", "Get-LocalGroup", "wmic group"))
| extend PrivilegedGroupEnum = (ProcessCommandLine has_any ("administrators", "domain admins", "enterprise admins", "schema admins"))
| extend WMICEnum = (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("useraccount", "group"))
| extend DSQueryEnum = (FileName =~ "dsquery.exe")
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine, ProcessId,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId,
         IsEncodedPS, NetUserDomain, LocalGroupEnum, PrivilegedGroupEnum, WMICEnum, DSQueryEnum
| sort by Timestamp desc

Detects account discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Identifies Windows built-in tools (net.exe, net1.exe, wmic.exe, dsquery.exe, nltest.exe, whoami.exe) and PowerShell cmdlets (Get-LocalUser, Get-ADUser, Get-ADGroupMember) used to enumerate local accounts, domain accounts, and group memberships. Enriches each event with boolean flags for encoded PowerShell, domain-level enumeration, local group enumeration, privileged group targeting, WMI-based enumeration, and directory query usage. High-fidelity signals include privileged group enumeration and domain-level queries from non-administrative processes.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running net user or Get-ADUser as part of routine account auditing and helpdesk workflows
Endpoint management agents (SCCM, Intune, Tanium) that enumerate local accounts during inventory collection
Security scanning tools (Nessus, Qualys, CrowdStrike Spotlight) performing authenticated enumeration for vulnerability assessment
HR and IAM automation scripts that synchronize user lists between directories (e.g., Azure AD Connect, Okta provisioning)
Monitoring and SIEM agents that collect account information for baseline and compliance reporting
Developer tools and CI/CD pipelines that resolve user identities during build or deployment processes

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\wmic.exe" OR Image="*\\dsquery.exe" OR Image="*\\nltest.exe" OR Image="*\\whoami.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
| eval CommandLineLower=lower(CommandLine)
| eval NetUserEnum=if(match(CommandLineLower, "net(1)?\s+user"), 1, 0)
| eval NetGroupEnum=if(match(CommandLineLower, "net(1)?\s+(localgroup|group)"), 1, 0)
| eval NetDomainEnum=if(match(CommandLineLower, "net(1)?\s+user.*/domain") OR match(CommandLineLower, "net(1)?\s+group.*/domain"), 1, 0)
| eval WMICEnum=if(match(CommandLineLower, "wmic.*(useraccount|group)"), 1, 0)
| eval DSQueryEnum=if(match(Image, "dsquery\.exe"), 1, 0)
| eval NLTestEnum=if(match(Image, "nltest\.exe"), 1, 0)
| eval WhoamiEnum=if(match(CommandLineLower, "whoami.*(\\/(groups|all|priv))"), 1, 0)
| eval PSLocalEnum=if(match(CommandLineLower, "(get-localuser|get-localgroup|get-localgroupmember)"), 1, 0)
| eval PSADEnum=if(match(CommandLineLower, "(get-aduser|get-adgroupmember|get-adprincipalgroup|get-adobject)"), 1, 0)
| eval PrivGroupTarget=if(match(CommandLineLower, "(administrators|domain admins|enterprise admins|schema admins)"), 1, 0)
| eval DiscoveryScore=NetUserEnum + NetGroupEnum + WMICEnum + DSQueryEnum + NLTestEnum + WhoamiEnum + PSLocalEnum + PSADEnum
| where DiscoveryScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        NetUserEnum, NetGroupEnum, NetDomainEnum, WMICEnum, DSQueryEnum,
        NLTestEnum, WhoamiEnum, PSLocalEnum, PSADEnum, PrivGroupTarget, DiscoveryScore
| sort - _time

Detects account discovery commands using Sysmon Event ID 1 (Process Creation). Evaluates process command lines across multiple discovery technique categories: net user/group enumeration, WMI account queries, dsquery, nltest trust/DC discovery, whoami privilege checks, and PowerShell AD cmdlets. Assigns a DiscoveryScore to help prioritize events with multiple concurrent discovery behaviors, which may indicate automated post-exploitation tooling rather than manual administrative activity.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators running net user or Get-ADUser as part of routine account auditing and helpdesk workflows
Endpoint management agents (SCCM, Intune, Tanium) that enumerate local accounts during inventory collection
Security scanning tools (Nessus, Qualys) performing authenticated enumeration for vulnerability assessment
HR and IAM automation scripts that synchronize user lists between Active Directory and cloud directories
Monitoring and SIEM agents that collect account information for baseline and compliance reporting
Developer tools and CI/CD pipelines that resolve user identities during build or deployment processes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  CASE WHEN LOWER("Command") LIKE '%net user%' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Command") LIKE '%net localgroup%' OR LOWER("Command") LIKE '%net group%' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") LIKE '%wmic.exe%' AND (LOWER("Command") LIKE '%useraccount%' OR LOWER("Command") LIKE '% group%') THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") LIKE '%dsquery.exe%' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") LIKE '%nltest.exe%' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Command") LIKE '%whoami%' AND (LOWER("Command") LIKE '%/groups%' OR LOWER("Command") LIKE '%/all%' OR LOWER("Command") LIKE '%/priv%') THEN 1 ELSE 0 END +
  CASE WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%') AND (
    LOWER("Command") LIKE '%get-localuser%' OR LOWER("Command") LIKE '%get-localgroup%' OR
    LOWER("Command") LIKE '%get-aduser%' OR LOWER("Command") LIKE '%get-adgroupmember%' OR
    LOWER("Command") LIKE '%directorysearcher%'
  ) THEN 1 ELSE 0 END AS discovery_score
FROM events
WHERE (
  (LOWER("Process Name") LIKE '%net.exe%' AND (LOWER("Command") LIKE '%net user%' OR LOWER("Command") LIKE '%net localgroup%' OR LOWER("Command") LIKE '%net group%'))
  OR (LOWER("Process Name") LIKE '%net1.exe%' AND (LOWER("Command") LIKE '%net user%' OR LOWER("Command") LIKE '%net localgroup%' OR LOWER("Command") LIKE '%net group%'))
  OR (LOWER("Process Name") LIKE '%wmic.exe%' AND (LOWER("Command") LIKE '%useraccount%' OR LOWER("Command") LIKE '% group%'))
  OR LOWER("Process Name") LIKE '%dsquery.exe%'
  OR LOWER("Process Name") LIKE '%nltest.exe%'
  OR (LOWER("Command") LIKE '%whoami%' AND (LOWER("Command") LIKE '%/groups%' OR LOWER("Command") LIKE '%/all%' OR LOWER("Command") LIKE '%/priv%'))
  OR (
    (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%') AND (
      LOWER("Command") LIKE '%get-localuser%' OR LOWER("Command") LIKE '%get-localgroup%' OR
      LOWER("Command") LIKE '%get-aduser%' OR LOWER("Command") LIKE '%get-adgroupmember%' OR
      LOWER("Command") LIKE '%directorysearcher%'
    )
  )
)
LAST 24 HOURS
ORDER BY starttime DESC

Detects Windows account discovery activity in IBM QRadar by correlating process name and command line arguments from Sysmon and Windows Security event sources. Computes a per-event discovery score to prioritize high-fidelity alerts. Maps to MITRE ATT&CK T1087.

medium severity high confidence

Data Sources

Windows Security Events via WinCollect (Event ID 4688) Sysmon via WinCollect (Event ID 1) Microsoft Windows Event Log DSM

Required Tables

events

False Positives

IT administrators using net.exe or PowerShell AD cmdlets for routine account management, inventory, or compliance reporting
Help desk personnel querying AD group membership to resolve access requests or troubleshoot login failures
Automated lifecycle management scripts that enumerate accounts during provisioning or deprovisioning workflows

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=sysmon
| where EventCode = "1" OR EventCode = "4688"
| parse "Image=*" as full_image_path nodrop
| parse regex field=full_image_path "(?i)\\(?P<process_name>[^\\]+)$" nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "ParentImage=*" as full_parent_path nodrop
| parse regex field=full_parent_path "(?i)\\(?P<parent_process_name>[^\\]+)$" nodrop
| parse "ParentCommandLine=*" as parent_command_line nodrop
| parse "User=*" as event_user nodrop
| where (
    (in(toLowerCase(process_name), "net.exe", "net1.exe") and (toLowerCase(command_line) contains "net user" or toLowerCase(command_line) contains "net localgroup" or toLowerCase(command_line) contains "net group"))
    or (toLowerCase(process_name) = "wmic.exe" and (toLowerCase(command_line) contains "useraccount" or toLowerCase(command_line) contains " group"))
    or in(toLowerCase(process_name), "dsquery.exe", "nltest.exe")
    or (toLowerCase(process_name) = "whoami.exe" and (toLowerCase(command_line) contains "/groups" or toLowerCase(command_line) contains "/all" or toLowerCase(command_line) contains "/priv"))
    or (in(toLowerCase(process_name), "powershell.exe", "pwsh.exe") and (
      toLowerCase(command_line) contains "get-localuser" or toLowerCase(command_line) contains "get-localgroup" or
      toLowerCase(command_line) contains "get-aduser" or toLowerCase(command_line) contains "get-adgroupmember" or
      toLowerCase(command_line) contains "get-adobject" or toLowerCase(command_line) contains "get-adprincipalgroup" or
      toLowerCase(command_line) contains "directorysearcher" or toLowerCase(command_line) contains "directoryentry"
    ))
  )
| eval NetUserEnum = if(toLowerCase(command_line) contains "net user", 1, 0)
| eval NetGroupEnum = if(toLowerCase(command_line) contains "net localgroup" or toLowerCase(command_line) contains "net group", 1, 0)
| eval NetDomainEnum = if(toLowerCase(command_line) contains "/domain", 1, 0)
| eval WMICEnum = if(toLowerCase(process_name) = "wmic.exe" and (toLowerCase(command_line) contains "useraccount" or toLowerCase(command_line) contains " group"), 1, 0)
| eval DSQueryEnum = if(toLowerCase(process_name) = "dsquery.exe", 1, 0)
| eval NLTestEnum = if(toLowerCase(process_name) = "nltest.exe", 1, 0)
| eval WhoamiEnum = if(toLowerCase(command_line) contains "/groups" or toLowerCase(command_line) contains "/all" or toLowerCase(command_line) contains "/priv", 1, 0)
| eval PSLocalEnum = if(toLowerCase(command_line) contains "get-localuser" or toLowerCase(command_line) contains "get-localgroup", 1, 0)
| eval PSADEnum = if(toLowerCase(command_line) contains "get-aduser" or toLowerCase(command_line) contains "get-adgroupmember", 1, 0)
| eval PrivGroupTarget = if(toLowerCase(command_line) contains "administrators" or toLowerCase(command_line) contains "domain admins" or toLowerCase(command_line) contains "enterprise admins", 1, 0)
| eval DiscoveryScore = NetUserEnum + NetGroupEnum + WMICEnum + DSQueryEnum + NLTestEnum + WhoamiEnum + PSLocalEnum + PSADEnum
| where DiscoveryScore > 0
| fields _messageTime, _sourceHost, event_user, process_name, command_line, parent_process_name, parent_command_line, NetUserEnum, NetGroupEnum, NetDomainEnum, WMICEnum, DSQueryEnum, NLTestEnum, WhoamiEnum, PSLocalEnum, PSADEnum, PrivGroupTarget, DiscoveryScore
| sort by _messageTime desc

Detects account discovery activity in Sumo Logic by parsing Sysmon Event ID 1 and Windows Security Event ID 4688 process creation events. Identifies use of net.exe, wmic.exe, dsquery.exe, nltest.exe, whoami.exe, and PowerShell AD cmdlets with a scoring model to surface high-fidelity alerts for MITRE ATT&CK T1087.

medium severity high confidence

Data Sources

Sysmon Event ID 1 (Process Create) via Sumo Logic Windows collector Windows Security Event ID 4688 (Process Create with command line) via Sumo Logic collector Sumo Logic Cloud SIEM Enterprise normalized process records

Required Tables

_sourceCategory=endpoint/windows _sourceCategory=sysmon

False Positives

System administrators running net.exe, dsquery.exe, or PowerShell AD scripts as part of scheduled user account inventory or compliance audits
Managed service providers using PowerShell AD cmdlets for regular AD health checks, reporting, or group membership reconciliation
Automated onboarding and offboarding workflows that enumerate group membership before modifying user accounts

Google Chronicle / SecOps

yaral

rule t1087_account_discovery {
  meta:
    author = "Argus Detection Platform"
    description = "Detects account discovery activity via Windows process enumeration tools and PowerShell AD cmdlets"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1087"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1087/"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\net\.exe|\\net1\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)net(1)?\s+(user|localgroup|group)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(useraccount|\sgroup\s)`)
      ) or
      re.regex($e.target.process.file.full_path, `(?i)(\\dsquery\.exe|\\nltest\.exe)$`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\whoami\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)/(groups|all|priv)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\powershell\.exe|\\pwsh\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)(Get-LocalUser|Get-LocalGroup|Get-ADUser|Get-ADGroupMember|Get-ADObject|Get-ADPrincipalGroupMembership|DirectorySearcher|DirectoryEntry|\[adsi\])`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting account discovery via Windows process enumeration. Matches PROCESS_LAUNCH UDM events where net.exe, wmic.exe, dsquery.exe, nltest.exe, whoami.exe, or PowerShell with Active Directory cmdlets are invoked with arguments consistent with MITRE ATT&CK T1087 account enumeration behavior.

medium severity high confidence

Data Sources

Google Chronicle UDM - PROCESS_LAUNCH events Windows Event Logs forwarded via Chronicle forwarder Sysmon Event ID 1 via Chronicle forwarder

Required Tables

UDM Events (event_type = PROCESS_LAUNCH)

False Positives

Authorized IT operations teams executing scheduled AD inventory scripts or user reconciliation tasks using dsquery.exe or PowerShell AD cmdlets
Active Directory monitoring and management platforms (e.g., RSAT, ManageEngine AD Manager) that enumerate users and groups as part of normal health checks
Privileged access workstations (PAWs) used by domain administrators for routine AD administration, generating frequent AD enumeration activity

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /^(net\.exe|net1\.exe|wmic\.exe|dsquery\.exe|nltest\.exe|whoami\.exe|powershell\.exe|pwsh\.exe)$/i
| CommandLine = /net\s+(user|localgroup|group)|wmic.*(useraccount|\sgroup)|whoami.*\/(groups|all|priv)|(get-localuser|get-localgroup|get-localgroupmember|get-aduser|get-adgroupmember|get-adobject|get-adprincipalgroup|directorysearcher|directoryentry|\[adsi\])|dsquery\s|nltest\s/i
| eval NetUserEnum = if(CommandLine = /net(1)?\s+user/i, "true", "false")
| eval NetGroupEnum = if(CommandLine = /net(1)?\s+(localgroup|group)/i, "true", "false")
| eval NetDomainEnum = if(CommandLine = /net(1)?\s+(user|group).*\/domain/i, "true", "false")
| eval WMICEnum = if(CommandLine = /wmic.*(useraccount|\sgroup)/i, "true", "false")
| eval DSQueryEnum = if(FileName = /dsquery\.exe/i, "true", "false")
| eval NLTestEnum = if(FileName = /nltest\.exe/i, "true", "false")
| eval WhoamiEnum = if(CommandLine = /whoami.*\/(groups|all|priv)/i, "true", "false")
| eval PSLocalEnum = if(CommandLine = /(get-localuser|get-localgroup|get-localgroupmember)/i, "true", "false")
| eval PSADEnum = if(CommandLine = /(get-aduser|get-adgroupmember|get-adprincipalgroup|get-adobject)/i, "true", "false")
| eval PrivGroupTarget = if(CommandLine = /(administrators|domain admins|enterprise admins|schema admins)/i, "true", "false")
| eval EncodedPS = if(CommandLine = /-(enc|EncodedCommand)\s/i, "true", "false")
| select [@timestamp, ComputerName, UserName, FileName, CommandLine, ParentProcessId, ParentBaseFileName, NetUserEnum, NetGroupEnum, NetDomainEnum, WMICEnum, DSQueryEnum, NLTestEnum, WhoamiEnum, PSLocalEnum, PSADEnum, PrivGroupTarget, EncodedPS]
| sort @timestamp desc

CrowdStrike LogScale detection for MITRE ATT&CK T1087 Account Discovery using Falcon ProcessRollup2 events. Identifies net.exe, wmic.exe, dsquery.exe, nltest.exe, whoami.exe, and PowerShell Active Directory cmdlet usage with command line arguments characteristic of account and group enumeration. Flags encoded PowerShell and privileged group targeting for analyst triage.

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Agent (ProcessRollup2 events) Falcon Data Replicator (FDR) - process telemetry

Required Tables

ProcessRollup2

False Positives

System administrators executing net user or net localgroup commands to manage local accounts or troubleshoot access issues on workstations and servers
Active Directory management and monitoring tools (e.g., RSAT, Quest AD tools, Varonis) that perform frequent account enumeration as part of normal operations
Security and identity governance platforms performing scheduled access reviews or certification campaigns via PowerShell AD cmdlets

Sigma rule & cross-platform mapping

The detection logic for Account Discovery (T1087) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1087 Sigma rules on detection.fyi

Platform-specific guides for T1087

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-17 Research depth: deep

References (10)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Local Account Enumeration via Net User
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe and CommandLine='net user'. Net1.exe may also appear as a child process. Security Event ID 4688 (if command line auditing enabled) with the same detail. No network connections expected — local SAM database query only.
Test 2Domain Account and Group Enumeration via Net
Expected signal: Sysmon Event ID 1: Three sequential Process Create events for net.exe with CommandLines 'net user /domain', 'net group Domain Admins /domain', 'net group Enterprise Admins /domain'. Sysmon Event ID 3: Network connections to domain controller IP on port 445 (SMB/SAMR protocol for domain queries). Security Event IDs 4661/4662 on the domain controller for directory object access.
Test 3Active Directory Enumeration via PowerShell Get-ADUser
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Get-ADUser' and '-Filter *'. Sysmon Event ID 3: LDAP connection (port 389 or 3268 for global catalog) from powershell.exe to domain controller IP. PowerShell ScriptBlock Logging Event ID 4104 with full script content. Domain Controller Security Event IDs 4661/4662 for directory service access.
Test 4WMI-Based Local Account Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\wbem\WMIC.exe and CommandLine='wmic useraccount list brief'. Possible WMI provider process creation (WmiPrvSE.exe). No network connections for local query. Security Event ID 4688 with command line if auditing enabled.
Test 5dsquery Domain User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\dsquery.exe and CommandLine='dsquery user -limit 0'. Sysmon Event ID 3: LDAP connection from dsquery.exe to domain controller on port 389 or 3268. Security Event IDs 4661/4662 on domain controller for directory access.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1087 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Account Discovery

What is T1087 Account Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1087

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (4)

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1087 Account Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1087

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (4)

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox