T1087.001 Local Account Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let AccountEnumCommands = dynamic([
  "net user", "net localgroup", "net accounts",
  "Get-LocalUser", "Get-LocalGroup", "Get-LocalGroupMember",
  "query user", "query session",
  "wmic useraccount", "wmic path win32_useraccount",
  "dsquery user", "lusrmgr"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "net.exe" or FileName =~ "net1.exe") and
    (ProcessCommandLine has "user" or ProcessCommandLine has "localgroup" or ProcessCommandLine has "accounts")
  ) or
  (
    FileName =~ "powershell.exe" and
    ProcessCommandLine has_any ("Get-LocalUser", "Get-LocalGroup", "Get-LocalGroupMember", "Get-WmiObject Win32_UserAccount", "Get-CimInstance Win32_UserAccount")
  ) or
  (
    FileName =~ "wmic.exe" and
    (ProcessCommandLine has "useraccount" or ProcessCommandLine has "win32_useraccount")
  ) or
  (
    FileName =~ "query.exe" and
    (ProcessCommandLine has "user" or ProcessCommandLine has "session")
  )
| extend EnumerationMethod = case(
    FileName =~ "net.exe" or FileName =~ "net1.exe", "net.exe/net1.exe",
    FileName =~ "powershell.exe", "PowerShell Cmdlet",
    FileName =~ "wmic.exe", "WMIC",
    FileName =~ "query.exe", "query.exe",
    "Other"
  )
| extend IsSuspiciousParent = InitiatingProcessFileName in~ (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         EnumerationMethod, IsSuspiciousParent
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running net user or net localgroup for routine account auditing and inventory
Security monitoring tools and vulnerability scanners (Tenable, Qualys, CrowdStrike) that enumerate accounts during assessments
Software installation and configuration management tools (SCCM, Ansible, Puppet) that validate account configurations
Helpdesk personnel running query user to check active sessions before performing maintenance
User provisioning automation scripts that verify account existence before creating or modifying accounts

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, lower(ProcessCommandLine))
| eval CommandLine=lower(CommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval IsNetEnum=if(
    match(Image, "(net\.exe|net1\.exe)$") AND match(CommandLine, "(user|localgroup|accounts)"),
    1, 0
  )
| eval IsPSEnum=if(
    match(Image, "powershell\.exe$") AND match(CommandLine, "(get-localuser|get-localgroup|get-localgroupmember|win32_useraccount|win32_userprofile)"),
    1, 0
  )
| eval IsWMICEnum=if(
    match(Image, "wmic\.exe$") AND match(CommandLine, "(useraccount|win32_useraccount)"),
    1, 0
  )
| eval IsQueryEnum=if(
    match(Image, "query\.exe$") AND match(CommandLine, "(user|session)"),
    1, 0
  )
| eval IsSuspiciousParent=if(
    match(ParentImage, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)$"),
    1, 0
  )
| eval EnumScore=IsNetEnum + IsPSEnum + IsWMICEnum + IsQueryEnum
| where EnumScore > 0
| eval EnumerationMethod=case(
    IsNetEnum=1, "net.exe/net1.exe",
    IsPSEnum=1, "PowerShell Cmdlet",
    IsWMICEnum=1, "WMIC",
    IsQueryEnum=1, "query.exe",
    1=1, "Other"
  )
| table _time, host, User, Image, CommandLine, ParentImage, EnumerationMethod, IsSuspiciousParent
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators running net user or net localgroup for routine account auditing and inventory
Security monitoring tools and vulnerability scanners (Tenable, Qualys, CrowdStrike) that enumerate accounts during assessments
Software installation and configuration management tools (SCCM, Ansible, Puppet) that validate account configurations
Helpdesk personnel running query user to check active sessions before performing maintenance
User provisioning automation scripts that verify account existence before creating or modifying accounts

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  (
    process.name : ("net.exe", "net1.exe") and
    process.command_line : ("* user*", "* localgroup*", "* accounts*")
  ) or
  (
    process.name : "powershell.exe" and
    process.command_line : ("*Get-LocalUser*", "*Get-LocalGroup*", "*Get-LocalGroupMember*", "*Win32_UserAccount*", "*Win32_UserProfile*")
  ) or
  (
    process.name : "wmic.exe" and
    process.command_line : ("*useraccount*", "*win32_useraccount*")
  ) or
  (
    process.name : "query.exe" and
    process.command_line : ("* user*", "* session*")
  )
)

medium severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Module Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-endpoint.events.process-*

False Positives

IT administrators running scheduled account inventory or audit scripts that enumerate local users and groups as part of baseline compliance checks
Helpdesk staff using net.exe or query.exe interactively to verify session or account status during user support calls
Endpoint management platforms such as SCCM, Ansible, or PDQ Inventory collecting account inventory via WMI or net commands during discovery cycles

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS Username,
  "Process Name" AS ProcessImage,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  sourceip AS SourceIP,
  CASE
    WHEN LOWER("Process Name") LIKE '%net.exe' OR LOWER("Process Name") LIKE '%net1.exe' THEN 'net.exe/net1.exe'
    WHEN LOWER("Process Name") LIKE '%powershell.exe' THEN 'PowerShell Cmdlet'
    WHEN LOWER("Process Name") LIKE '%wmic.exe' THEN 'WMIC'
    WHEN LOWER("Process Name") LIKE '%query.exe' THEN 'query.exe'
    ELSE 'Other'
  END AS EnumerationMethod,
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%cmd.exe'
      OR LOWER("Parent Process Name") LIKE '%powershell.exe'
      OR LOWER("Parent Process Name") LIKE '%wscript.exe'
      OR LOWER("Parent Process Name") LIKE '%cscript.exe'
      OR LOWER("Parent Process Name") LIKE '%mshta.exe'
      OR LOWER("Parent Process Name") LIKE '%rundll32.exe'
      OR LOWER("Parent Process Name") LIKE '%regsvr32.exe'
    THEN '1' ELSE '0'
  END AS IsSuspiciousParent
FROM events
WHERE (
    (LOWER("Process Name") LIKE '%net.exe' AND (LOWER("Command") LIKE '% user%' OR LOWER("Command") LIKE '%localgroup%' OR LOWER("Command") LIKE '%accounts%'))
    OR (LOWER("Process Name") LIKE '%net1.exe' AND (LOWER("Command") LIKE '% user%' OR LOWER("Command") LIKE '%localgroup%' OR LOWER("Command") LIKE '%accounts%'))
    OR (LOWER("Process Name") LIKE '%powershell.exe' AND (LOWER("Command") LIKE '%get-localuser%' OR LOWER("Command") LIKE '%get-localgroup%' OR LOWER("Command") LIKE '%get-localgroupmember%' OR LOWER("Command") LIKE '%win32_useraccount%'))
    OR (LOWER("Process Name") LIKE '%wmic.exe' AND (LOWER("Command") LIKE '%useraccount%' OR LOWER("Command") LIKE '%win32_useraccount%'))
    OR (LOWER("Process Name") LIKE '%query.exe' AND (LOWER("Command") LIKE '% user%' OR LOWER("Command") LIKE '% session%'))
  )
LAST 24 HOURS
ORDER BY starttime DESC

medium severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (Event ID 4688) Sysmon for Windows (Event ID 1)

Required Tables

events

False Positives

IT administrators running net user or net localgroup commands during routine account management, password resets, or compliance audits
Automated endpoint management solutions such as SCCM, Tanium, or BigFix enumerating local accounts for compliance inventory checks
Security operations tooling or vulnerability scanners using WMI to query Win32_UserAccount as part of automated asset discovery scans

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*endpoint*)
| where EventCode in ("1", "4688")
| eval image = toLowerCase(if(!isEmpty(Image), Image, if(!isEmpty(NewProcessName), NewProcessName, "")))
| eval cmdline = toLowerCase(if(!isEmpty(CommandLine), CommandLine, if(!isEmpty(ProcessCommandLine), ProcessCommandLine, "")))
| eval parent = toLowerCase(if(!isEmpty(ParentImage), ParentImage, if(!isEmpty(ParentProcessName), ParentProcessName, "")))
| where (
    (matches(image, ".*(net.exe|net1.exe)$") AND (contains(cmdline, "user") OR contains(cmdline, "localgroup") OR contains(cmdline, "accounts")))
    OR (matches(image, ".*powershell.exe$") AND (contains(cmdline, "get-localuser") OR contains(cmdline, "get-localgroup") OR contains(cmdline, "get-localgroupmember") OR contains(cmdline, "win32_useraccount")))
    OR (matches(image, ".*wmic.exe$") AND (contains(cmdline, "useraccount") OR contains(cmdline, "win32_useraccount")))
    OR (matches(image, ".*query.exe$") AND (contains(cmdline, "user") OR contains(cmdline, "session")))
  )
| eval EnumerationMethod = if(matches(image, ".*(net.exe|net1.exe)$"), "net.exe/net1.exe",
    if(matches(image, ".*powershell.exe$"), "PowerShell Cmdlet",
    if(matches(image, ".*wmic.exe$"), "WMIC",
    if(matches(image, ".*query.exe$"), "query.exe", "Other"))))
| eval IsSuspiciousParent = if(matches(parent, ".*(cmd.exe|powershell.exe|pwsh.exe|wscript.exe|cscript.exe|mshta.exe|rundll32.exe|regsvr32.exe)$"), "true", "false")
| table _messageTime, Computer, user, image, cmdline, parent, EnumerationMethod, IsSuspiciousParent
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon (Event ID 1) Windows Security Event Log (Event ID 4688)

Required Tables

_sourceCategory=*windows* _sourceCategory=*endpoint*

False Positives

IT support staff using net user or query user interactively to troubleshoot account lockout or active session issues during helpdesk calls
RMM tools such as ConnectWise Automate or NinjaRMM enumerating local group membership as part of automated asset baseline tracking
PowerShell-based provisioning or onboarding scripts that call Get-LocalUser or Get-LocalGroup to validate account state before applying configuration changes

Google Chronicle / SecOps

yaral

rule t1087_001_local_account_enumeration {
  meta:
    author = "Detection Engineering"
    description = "Detects local account enumeration via net.exe, PowerShell Get-Local* cmdlets, WMIC Win32_UserAccount, or query.exe"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1087.001"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.principal.process.file.full_path, `(?i)net(1)?\.exe$`) and
        re.regex($e.principal.process.command_line, `(?i)(user|localgroup|accounts)`)
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)powershell\.exe$`) and
        re.regex($e.principal.process.command_line, `(?i)(Get-LocalUser|Get-LocalGroup|Get-LocalGroupMember|Win32_UserAccount|Win32_UserProfile)`)
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)wmic\.exe$`) and
        re.regex($e.principal.process.command_line, `(?i)(useraccount|win32_useraccount)`)
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)query\.exe$`) and
        re.regex($e.principal.process.command_line, `(?i)\b(user|session)\b`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle SIEM Google Chronicle Unified Data Model (UDM) Windows EDR and Sysmon telemetry forwarded to Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Authorized privileged account audits run by IT administrators via net.exe or PowerShell management scripts under sanctioned change windows
Service accounts used by SCCM, Microsoft Intune, or Group Policy processing that query local group membership during policy application cycles
Corporate security tooling performing periodic CIS benchmark compliance checks that enumerate local administrators group members across endpoints

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName =~ /^(net|net1|powershell|wmic|query)\.exe$/i
| case {
    FileName =~ /^net(1)?\.exe$/i AND CommandLine =~ /(?i)(user|localgroup|accounts)/ |
      EnumerationMethod := "net.exe/net1.exe" ;
    FileName =~ /^powershell\.exe$/i AND CommandLine =~ /(?i)(Get-LocalUser|Get-LocalGroup|Get-LocalGroupMember|Win32_UserAccount)/ |
      EnumerationMethod := "PowerShell Cmdlet" ;
    FileName =~ /^wmic\.exe$/i AND CommandLine =~ /(?i)(useraccount|win32_useraccount)/ |
      EnumerationMethod := "WMIC" ;
    FileName =~ /^query\.exe$/i AND CommandLine =~ /(?i)\b(user|session)\b/ |
      EnumerationMethod := "query.exe" ;
    * | EnumerationMethod := "no_match"
  }
| EnumerationMethod != "no_match"
| IsSuspiciousParent := if(ParentBaseFileName =~ /(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32)\.exe/, "true", "false")
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, EnumerationMethod, IsSuspiciousParent])
| sort(timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon NGSIEM CrowdStrike Falcon Endpoint Protection platform CrowdStrike Falcon LogScale (Humio)

Required Tables

ProcessRollup2 (#event_simpleName)

False Positives

CrowdStrike Falcon Real-Time Response sessions where security analysts run net user or query user commands during active incident investigations on endpoints
IT automation scripts deployed via Falcon Fusion workflows that enumerate local accounts as part of device health checks or onboarding compliance verification
Windows logon scripts or GPO startup scripts that call net localgroup administrators to verify local admin group membership before applying configuration

Local Account

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Discovery

Popular Detections