Which SIEM platforms have a T1087.001 detection rule?

df00tech provides T1087.001 (Local Account) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Local Account (T1087.001)?

Detecting Local Account requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1087.001 detection?

The T1087.001 detection is rated medium severity with high confidence.

What are common false positives for T1087.001?

Common false positives for T1087.001 include: IT administrators running net user or net localgroup for routine account auditing and inventory; Security monitoring tools and vulnerability scanners (Tenable, Qualys, CrowdStrike) that enumerate accounts during assessments; Software installation and configuration management tools (SCCM, Ansible, Puppet) that validate account configurations.

T1087.001 Google Chronicle · YARA-L

Detect Local Account in Google Chronicle

Adversaries may attempt to get a listing of local system accounts to aid in follow-on behavior such as privilege escalation, lateral movement, or credential access. On Windows, commands such as net user and net localgroup are commonly used. On Linux and macOS, commands such as id, groups, cat /etc/passwd, and dscl . list /Users enumerate local accounts. On ESXi, esxcli system account list retrieves local accounts. This information helps adversaries understand the account landscape, identify high-value targets like local administrators, and plan further attack steps.

MITRE ATT&CK

Tactic: Discovery
Technique: T1087 Account Discovery
Sub-technique: T1087.001 Local Account
Canonical reference: https://attack.mitre.org/techniques/T1087/001/

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule t1087_001_local_account_enumeration {
  meta:
    author = "Detection Engineering"
    description = "Detects local account enumeration via net.exe, PowerShell Get-Local* cmdlets, WMIC Win32_UserAccount, or query.exe"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1087.001"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.principal.process.file.full_path, `(?i)net(1)?\.exe$`) and
        re.regex($e.principal.process.command_line, `(?i)(user|localgroup|accounts)`)
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)powershell\.exe$`) and
        re.regex($e.principal.process.command_line, `(?i)(Get-LocalUser|Get-LocalGroup|Get-LocalGroupMember|Win32_UserAccount|Win32_UserProfile)`)
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)wmic\.exe$`) and
        re.regex($e.principal.process.command_line, `(?i)(useraccount|win32_useraccount)`)
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)query\.exe$`) and
        re.regex($e.principal.process.command_line, `(?i)\b(user|session)\b`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Google Chronicle YARA-L 2.0 rule detecting T1087.001 local account enumeration. Matches PROCESS_LAUNCH UDM events where principal.process.file.full_path ends with a known enumeration binary (net.exe, net1.exe, powershell.exe, wmic.exe, query.exe) and principal.process.command_line contains account discovery keywords. Uses re.regex() with case-insensitive backtick-delimited patterns. Single-event rule firing on each qualifying process launch.

Data Sources

Google Chronicle SIEMGoogle Chronicle Unified Data Model (UDM)Windows EDR and Sysmon telemetry forwarded to Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives & Tuning

Authorized privileged account audits run by IT administrators via net.exe or PowerShell management scripts under sanctioned change windows
Service accounts used by SCCM, Microsoft Intune, or Group Policy processing that query local group membership during policy application cycles
Corporate security tooling performing periodic CIS benchmark compliance checks that enumerate local administrators group members across endpoints

Download portable Sigma rule (.yml)

Other platforms for T1087.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Local Account Enumeration via net user and net localgroup
Expected signal: Sysmon Event ID 1: Three process creation events with Image=C:\Windows\System32\net.exe and CommandLine values 'net user', 'net localgroup', 'net localgroup administrators'. Security Event ID 4799 may be generated for the localgroup administrators query. Security Event ID 4688 if command-line auditing is enabled.
Test 2Local Account Enumeration via PowerShell Get-LocalUser
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Get-LocalUser', 'Get-LocalGroup', 'Get-LocalGroupMember'. PowerShell ScriptBlock Log Event ID 4104 with the full script content. Windows Security Event ID 4799 for the Administrators group membership enumeration.
Test 3Local Account Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Two process creation events with Image=C:\Windows\System32\wbem\WMIC.exe and CommandLines containing 'useraccount' and 'win32_useraccount'. Security Event ID 4688 if command-line auditing is enabled.
Test 4Local Account Enumeration on Linux via /etc/passwd and id
Expected signal: Linux auditd syscall events: openat() or open() syscall for /etc/passwd with the UID of the executing process. Syslog or auditd process execution records for 'cat', 'cut', 'id', 'groups', 'getent', 'who' commands. In environments with Sysmon for Linux: EventCode=1 process creation events for each command.
Test 5Local Account Enumeration via query user and Security Event Trigger
Expected signal: Sysmon Event ID 1: Two process creation events with Image=C:\Windows\System32\query.exe and CommandLines 'query user' and 'query session'. Security Event ID 4688 if process creation auditing with command lines is enabled.

Last updated: 2026-04-13 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1087.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Local Account in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1087.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1087.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox