T1087

Account Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers. Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment. On Windows, common discovery methods include net user, net localgroup, wmic useraccount list, Get-LocalUser, and Get-ADUser. On Linux and macOS, adversaries may read /etc/passwd, use getent, id, last, and who commands. In cloud environments, CLIs such as aws iam list-users, az ad user list, and gcloud iam service-accounts list are commonly abused. Observed threat actors leveraging this technique include Aquatic Panda, Scattered Spider, FIN13, and malware families such as Woody RAT, Havoc, TONESHELL, and ShimRatReporter.

Microsoft Sentinel / Defender

kusto

let AccountDiscoveryProcesses = dynamic([
  "net.exe", "net1.exe", "wmic.exe", "dsquery.exe", "nltest.exe", "whoami.exe"
]);
let AccountDiscoveryCmdPatterns = dynamic([
  "net user", "net localgroup", "net group",
  "wmic useraccount", "wmic group",
  "dsquery user", "dsquery group",
  "Get-LocalUser", "Get-LocalGroup", "Get-ADUser", "Get-ADGroupMember",
  "nltest /dclist", "nltest /domain_trusts",
  "whoami /groups", "whoami /all",
  "query user", "quser"
]);
let PSAccountDiscovery = dynamic([
  "Get-LocalUser", "Get-LocalGroup", "Get-ADUser",
  "Get-ADGroupMember", "Get-ADObject", "Get-ADPrincipalGroupMembership",
  "[adsi]", "DirectorySearcher", "DirectoryEntry"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ (AccountDiscoveryProcesses) and ProcessCommandLine has_any (AccountDiscoveryCmdPatterns))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PSAccountDiscovery))
    or (ProcessCommandLine has "whoami" and ProcessCommandLine has_any ("/groups", "/all", "/priv"))
  )
| extend IsEncodedPS = (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("-enc", "-EncodedCommand"))
| extend NetUserDomain = (ProcessCommandLine has "net user" and ProcessCommandLine has "/domain")
| extend LocalGroupEnum = (ProcessCommandLine has_any ("net localgroup", "Get-LocalGroup", "wmic group"))
| extend PrivilegedGroupEnum = (ProcessCommandLine has_any ("administrators", "domain admins", "enterprise admins", "schema admins"))
| extend WMICEnum = (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("useraccount", "group"))
| extend DSQueryEnum = (FileName =~ "dsquery.exe")
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine, ProcessId,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId,
         IsEncodedPS, NetUserDomain, LocalGroupEnum, PrivilegedGroupEnum, WMICEnum, DSQueryEnum
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running net user or Get-ADUser as part of routine account auditing and helpdesk workflows
Endpoint management agents (SCCM, Intune, Tanium) that enumerate local accounts during inventory collection
Security scanning tools (Nessus, Qualys, CrowdStrike Spotlight) performing authenticated enumeration for vulnerability assessment
HR and IAM automation scripts that synchronize user lists between directories (e.g., Azure AD Connect, Okta provisioning)
Monitoring and SIEM agents that collect account information for baseline and compliance reporting
Developer tools and CI/CD pipelines that resolve user identities during build or deployment processes

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\wmic.exe" OR Image="*\\dsquery.exe" OR Image="*\\nltest.exe" OR Image="*\\whoami.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
| eval CommandLineLower=lower(CommandLine)
| eval NetUserEnum=if(match(CommandLineLower, "net(1)?\s+user"), 1, 0)
| eval NetGroupEnum=if(match(CommandLineLower, "net(1)?\s+(localgroup|group)"), 1, 0)
| eval NetDomainEnum=if(match(CommandLineLower, "net(1)?\s+user.*/domain") OR match(CommandLineLower, "net(1)?\s+group.*/domain"), 1, 0)
| eval WMICEnum=if(match(CommandLineLower, "wmic.*(useraccount|group)"), 1, 0)
| eval DSQueryEnum=if(match(Image, "dsquery\.exe"), 1, 0)
| eval NLTestEnum=if(match(Image, "nltest\.exe"), 1, 0)
| eval WhoamiEnum=if(match(CommandLineLower, "whoami.*(\\/(groups|all|priv))"), 1, 0)
| eval PSLocalEnum=if(match(CommandLineLower, "(get-localuser|get-localgroup|get-localgroupmember)"), 1, 0)
| eval PSADEnum=if(match(CommandLineLower, "(get-aduser|get-adgroupmember|get-adprincipalgroup|get-adobject)"), 1, 0)
| eval PrivGroupTarget=if(match(CommandLineLower, "(administrators|domain admins|enterprise admins|schema admins)"), 1, 0)
| eval DiscoveryScore=NetUserEnum + NetGroupEnum + WMICEnum + DSQueryEnum + NLTestEnum + WhoamiEnum + PSLocalEnum + PSADEnum
| where DiscoveryScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        NetUserEnum, NetGroupEnum, NetDomainEnum, WMICEnum, DSQueryEnum,
        NLTestEnum, WhoamiEnum, PSLocalEnum, PSADEnum, PrivGroupTarget, DiscoveryScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators running net user or Get-ADUser as part of routine account auditing and helpdesk workflows
Endpoint management agents (SCCM, Intune, Tanium) that enumerate local accounts during inventory collection
Security scanning tools (Nessus, Qualys) performing authenticated enumeration for vulnerability assessment
HR and IAM automation scripts that synchronize user lists between Active Directory and cloud directories
Monitoring and SIEM agents that collect account information for baseline and compliance reporting
Developer tools and CI/CD pipelines that resolve user identities during build or deployment processes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  CASE WHEN LOWER("Command") LIKE '%net user%' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Command") LIKE '%net localgroup%' OR LOWER("Command") LIKE '%net group%' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") LIKE '%wmic.exe%' AND (LOWER("Command") LIKE '%useraccount%' OR LOWER("Command") LIKE '% group%') THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") LIKE '%dsquery.exe%' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") LIKE '%nltest.exe%' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Command") LIKE '%whoami%' AND (LOWER("Command") LIKE '%/groups%' OR LOWER("Command") LIKE '%/all%' OR LOWER("Command") LIKE '%/priv%') THEN 1 ELSE 0 END +
  CASE WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%') AND (
    LOWER("Command") LIKE '%get-localuser%' OR LOWER("Command") LIKE '%get-localgroup%' OR
    LOWER("Command") LIKE '%get-aduser%' OR LOWER("Command") LIKE '%get-adgroupmember%' OR
    LOWER("Command") LIKE '%directorysearcher%'
  ) THEN 1 ELSE 0 END AS discovery_score
FROM events
WHERE (
  (LOWER("Process Name") LIKE '%net.exe%' AND (LOWER("Command") LIKE '%net user%' OR LOWER("Command") LIKE '%net localgroup%' OR LOWER("Command") LIKE '%net group%'))
  OR (LOWER("Process Name") LIKE '%net1.exe%' AND (LOWER("Command") LIKE '%net user%' OR LOWER("Command") LIKE '%net localgroup%' OR LOWER("Command") LIKE '%net group%'))
  OR (LOWER("Process Name") LIKE '%wmic.exe%' AND (LOWER("Command") LIKE '%useraccount%' OR LOWER("Command") LIKE '% group%'))
  OR LOWER("Process Name") LIKE '%dsquery.exe%'
  OR LOWER("Process Name") LIKE '%nltest.exe%'
  OR (LOWER("Command") LIKE '%whoami%' AND (LOWER("Command") LIKE '%/groups%' OR LOWER("Command") LIKE '%/all%' OR LOWER("Command") LIKE '%/priv%'))
  OR (
    (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%') AND (
      LOWER("Command") LIKE '%get-localuser%' OR LOWER("Command") LIKE '%get-localgroup%' OR
      LOWER("Command") LIKE '%get-aduser%' OR LOWER("Command") LIKE '%get-adgroupmember%' OR
      LOWER("Command") LIKE '%directorysearcher%'
    )
  )
)
LAST 24 HOURS
ORDER BY starttime DESC

medium severity high confidence

Data Sources

Windows Security Events via WinCollect (Event ID 4688) Sysmon via WinCollect (Event ID 1) Microsoft Windows Event Log DSM

Required Tables

events

False Positives

IT administrators using net.exe or PowerShell AD cmdlets for routine account management, inventory, or compliance reporting
Help desk personnel querying AD group membership to resolve access requests or troubleshoot login failures
Automated lifecycle management scripts that enumerate accounts during provisioning or deprovisioning workflows

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=sysmon
| where EventCode = "1" OR EventCode = "4688"
| parse "Image=*" as full_image_path nodrop
| parse regex field=full_image_path "(?i)\\(?P<process_name>[^\\]+)$" nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "ParentImage=*" as full_parent_path nodrop
| parse regex field=full_parent_path "(?i)\\(?P<parent_process_name>[^\\]+)$" nodrop
| parse "ParentCommandLine=*" as parent_command_line nodrop
| parse "User=*" as event_user nodrop
| where (
    (in(toLowerCase(process_name), "net.exe", "net1.exe") and (toLowerCase(command_line) contains "net user" or toLowerCase(command_line) contains "net localgroup" or toLowerCase(command_line) contains "net group"))
    or (toLowerCase(process_name) = "wmic.exe" and (toLowerCase(command_line) contains "useraccount" or toLowerCase(command_line) contains " group"))
    or in(toLowerCase(process_name), "dsquery.exe", "nltest.exe")
    or (toLowerCase(process_name) = "whoami.exe" and (toLowerCase(command_line) contains "/groups" or toLowerCase(command_line) contains "/all" or toLowerCase(command_line) contains "/priv"))
    or (in(toLowerCase(process_name), "powershell.exe", "pwsh.exe") and (
      toLowerCase(command_line) contains "get-localuser" or toLowerCase(command_line) contains "get-localgroup" or
      toLowerCase(command_line) contains "get-aduser" or toLowerCase(command_line) contains "get-adgroupmember" or
      toLowerCase(command_line) contains "get-adobject" or toLowerCase(command_line) contains "get-adprincipalgroup" or
      toLowerCase(command_line) contains "directorysearcher" or toLowerCase(command_line) contains "directoryentry"
    ))
  )
| eval NetUserEnum = if(toLowerCase(command_line) contains "net user", 1, 0)
| eval NetGroupEnum = if(toLowerCase(command_line) contains "net localgroup" or toLowerCase(command_line) contains "net group", 1, 0)
| eval NetDomainEnum = if(toLowerCase(command_line) contains "/domain", 1, 0)
| eval WMICEnum = if(toLowerCase(process_name) = "wmic.exe" and (toLowerCase(command_line) contains "useraccount" or toLowerCase(command_line) contains " group"), 1, 0)
| eval DSQueryEnum = if(toLowerCase(process_name) = "dsquery.exe", 1, 0)
| eval NLTestEnum = if(toLowerCase(process_name) = "nltest.exe", 1, 0)
| eval WhoamiEnum = if(toLowerCase(command_line) contains "/groups" or toLowerCase(command_line) contains "/all" or toLowerCase(command_line) contains "/priv", 1, 0)
| eval PSLocalEnum = if(toLowerCase(command_line) contains "get-localuser" or toLowerCase(command_line) contains "get-localgroup", 1, 0)
| eval PSADEnum = if(toLowerCase(command_line) contains "get-aduser" or toLowerCase(command_line) contains "get-adgroupmember", 1, 0)
| eval PrivGroupTarget = if(toLowerCase(command_line) contains "administrators" or toLowerCase(command_line) contains "domain admins" or toLowerCase(command_line) contains "enterprise admins", 1, 0)
| eval DiscoveryScore = NetUserEnum + NetGroupEnum + WMICEnum + DSQueryEnum + NLTestEnum + WhoamiEnum + PSLocalEnum + PSADEnum
| where DiscoveryScore > 0
| fields _messageTime, _sourceHost, event_user, process_name, command_line, parent_process_name, parent_command_line, NetUserEnum, NetGroupEnum, NetDomainEnum, WMICEnum, DSQueryEnum, NLTestEnum, WhoamiEnum, PSLocalEnum, PSADEnum, PrivGroupTarget, DiscoveryScore
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sysmon Event ID 1 (Process Create) via Sumo Logic Windows collector Windows Security Event ID 4688 (Process Create with command line) via Sumo Logic collector Sumo Logic Cloud SIEM Enterprise normalized process records

Required Tables

_sourceCategory=endpoint/windows _sourceCategory=sysmon

False Positives

System administrators running net.exe, dsquery.exe, or PowerShell AD scripts as part of scheduled user account inventory or compliance audits
Managed service providers using PowerShell AD cmdlets for regular AD health checks, reporting, or group membership reconciliation
Automated onboarding and offboarding workflows that enumerate group membership before modifying user accounts

Google Chronicle / SecOps

yaral

rule t1087_account_discovery {
  meta:
    author = "Argus Detection Platform"
    description = "Detects account discovery activity via Windows process enumeration tools and PowerShell AD cmdlets"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1087"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1087/"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\net\.exe|\\net1\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)net(1)?\s+(user|localgroup|group)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(useraccount|\sgroup\s)`)
      ) or
      re.regex($e.target.process.file.full_path, `(?i)(\\dsquery\.exe|\\nltest\.exe)$`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\whoami\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)/(groups|all|priv)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\powershell\.exe|\\pwsh\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)(Get-LocalUser|Get-LocalGroup|Get-ADUser|Get-ADGroupMember|Get-ADObject|Get-ADPrincipalGroupMembership|DirectorySearcher|DirectoryEntry|\[adsi\])`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle UDM - PROCESS_LAUNCH events Windows Event Logs forwarded via Chronicle forwarder Sysmon Event ID 1 via Chronicle forwarder

Required Tables

UDM Events (event_type = PROCESS_LAUNCH)

False Positives

Authorized IT operations teams executing scheduled AD inventory scripts or user reconciliation tasks using dsquery.exe or PowerShell AD cmdlets
Active Directory monitoring and management platforms (e.g., RSAT, ManageEngine AD Manager) that enumerate users and groups as part of normal health checks
Privileged access workstations (PAWs) used by domain administrators for routine AD administration, generating frequent AD enumeration activity

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /^(net\.exe|net1\.exe|wmic\.exe|dsquery\.exe|nltest\.exe|whoami\.exe|powershell\.exe|pwsh\.exe)$/i
| CommandLine = /net\s+(user|localgroup|group)|wmic.*(useraccount|\sgroup)|whoami.*\/(groups|all|priv)|(get-localuser|get-localgroup|get-localgroupmember|get-aduser|get-adgroupmember|get-adobject|get-adprincipalgroup|directorysearcher|directoryentry|\[adsi\])|dsquery\s|nltest\s/i
| eval NetUserEnum = if(CommandLine = /net(1)?\s+user/i, "true", "false")
| eval NetGroupEnum = if(CommandLine = /net(1)?\s+(localgroup|group)/i, "true", "false")
| eval NetDomainEnum = if(CommandLine = /net(1)?\s+(user|group).*\/domain/i, "true", "false")
| eval WMICEnum = if(CommandLine = /wmic.*(useraccount|\sgroup)/i, "true", "false")
| eval DSQueryEnum = if(FileName = /dsquery\.exe/i, "true", "false")
| eval NLTestEnum = if(FileName = /nltest\.exe/i, "true", "false")
| eval WhoamiEnum = if(CommandLine = /whoami.*\/(groups|all|priv)/i, "true", "false")
| eval PSLocalEnum = if(CommandLine = /(get-localuser|get-localgroup|get-localgroupmember)/i, "true", "false")
| eval PSADEnum = if(CommandLine = /(get-aduser|get-adgroupmember|get-adprincipalgroup|get-adobject)/i, "true", "false")
| eval PrivGroupTarget = if(CommandLine = /(administrators|domain admins|enterprise admins|schema admins)/i, "true", "false")
| eval EncodedPS = if(CommandLine = /-(enc|EncodedCommand)\s/i, "true", "false")
| select [@timestamp, ComputerName, UserName, FileName, CommandLine, ParentProcessId, ParentBaseFileName, NetUserEnum, NetGroupEnum, NetDomainEnum, WMICEnum, DSQueryEnum, NLTestEnum, WhoamiEnum, PSLocalEnum, PSADEnum, PrivGroupTarget, EncodedPS]
| sort @timestamp desc

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Agent (ProcessRollup2 events) Falcon Data Replicator (FDR) - process telemetry

Required Tables

ProcessRollup2

False Positives

System administrators executing net user or net localgroup commands to manage local accounts or troubleshoot access issues on workstations and servers
Active Directory management and monitoring tools (e.g., RSAT, Quest AD tools, Varonis) that perform frequent account enumeration as part of normal operations
Security and identity governance platforms performing scheduled access reviews or certification campaigns via PowerShell AD cmdlets

Last updated: 2026-04-17 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1087 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Account Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Discovery

Popular Detections