Detect Local Account in IBM QRadar
Adversaries may attempt to get a listing of local system accounts to aid in follow-on behavior such as privilege escalation, lateral movement, or credential access. On Windows, commands such as net user and net localgroup are commonly used. On Linux and macOS, commands such as id, groups, cat /etc/passwd, and dscl . list /Users enumerate local accounts. On ESXi, esxcli system account list retrieves local accounts. This information helps adversaries understand the account landscape, identify high-value targets like local administrators, and plan further attack steps.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1087 Account Discovery
- Sub-technique
- T1087.001 Local Account
- Canonical reference
- https://attack.mitre.org/techniques/T1087/001/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
username AS Username,
"Process Name" AS ProcessImage,
"Command" AS CommandLine,
"Parent Process Name" AS ParentProcess,
sourceip AS SourceIP,
CASE
WHEN LOWER("Process Name") LIKE '%net.exe' OR LOWER("Process Name") LIKE '%net1.exe' THEN 'net.exe/net1.exe'
WHEN LOWER("Process Name") LIKE '%powershell.exe' THEN 'PowerShell Cmdlet'
WHEN LOWER("Process Name") LIKE '%wmic.exe' THEN 'WMIC'
WHEN LOWER("Process Name") LIKE '%query.exe' THEN 'query.exe'
ELSE 'Other'
END AS EnumerationMethod,
CASE
WHEN LOWER("Parent Process Name") LIKE '%cmd.exe'
OR LOWER("Parent Process Name") LIKE '%powershell.exe'
OR LOWER("Parent Process Name") LIKE '%wscript.exe'
OR LOWER("Parent Process Name") LIKE '%cscript.exe'
OR LOWER("Parent Process Name") LIKE '%mshta.exe'
OR LOWER("Parent Process Name") LIKE '%rundll32.exe'
OR LOWER("Parent Process Name") LIKE '%regsvr32.exe'
THEN '1' ELSE '0'
END AS IsSuspiciousParent
FROM events
WHERE (
(LOWER("Process Name") LIKE '%net.exe' AND (LOWER("Command") LIKE '% user%' OR LOWER("Command") LIKE '%localgroup%' OR LOWER("Command") LIKE '%accounts%'))
OR (LOWER("Process Name") LIKE '%net1.exe' AND (LOWER("Command") LIKE '% user%' OR LOWER("Command") LIKE '%localgroup%' OR LOWER("Command") LIKE '%accounts%'))
OR (LOWER("Process Name") LIKE '%powershell.exe' AND (LOWER("Command") LIKE '%get-localuser%' OR LOWER("Command") LIKE '%get-localgroup%' OR LOWER("Command") LIKE '%get-localgroupmember%' OR LOWER("Command") LIKE '%win32_useraccount%'))
OR (LOWER("Process Name") LIKE '%wmic.exe' AND (LOWER("Command") LIKE '%useraccount%' OR LOWER("Command") LIKE '%win32_useraccount%'))
OR (LOWER("Process Name") LIKE '%query.exe' AND (LOWER("Command") LIKE '% user%' OR LOWER("Command") LIKE '% session%'))
)
LAST 24 HOURS
ORDER BY starttime DESCDetects local account enumeration using IBM QRadar AQL against Windows process creation events (Security Event 4688 and Sysmon Event ID 1). Queries normalized 'Process Name' and 'Command' custom properties mapped via the DSM editor from both Windows Security and Sysmon log sources. Uses LOWER() with LIKE for case-insensitive matching. Inline CASE statements classify the enumeration method and flag suspicious parent processes for triage.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running net user or net localgroup commands during routine account management, password resets, or compliance audits
- Automated endpoint management solutions such as SCCM, Tanium, or BigFix enumerating local accounts for compliance inventory checks
- Security operations tooling or vulnerability scanners using WMI to query Win32_UserAccount as part of automated asset discovery scans
Other platforms for T1087.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Local Account Enumeration via net user and net localgroup
Expected signal: Sysmon Event ID 1: Three process creation events with Image=C:\Windows\System32\net.exe and CommandLine values 'net user', 'net localgroup', 'net localgroup administrators'. Security Event ID 4799 may be generated for the localgroup administrators query. Security Event ID 4688 if command-line auditing is enabled.
- Test 2Local Account Enumeration via PowerShell Get-LocalUser
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Get-LocalUser', 'Get-LocalGroup', 'Get-LocalGroupMember'. PowerShell ScriptBlock Log Event ID 4104 with the full script content. Windows Security Event ID 4799 for the Administrators group membership enumeration.
- Test 3Local Account Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Two process creation events with Image=C:\Windows\System32\wbem\WMIC.exe and CommandLines containing 'useraccount' and 'win32_useraccount'. Security Event ID 4688 if command-line auditing is enabled.
- Test 4Local Account Enumeration on Linux via /etc/passwd and id
Expected signal: Linux auditd syscall events: openat() or open() syscall for /etc/passwd with the UID of the executing process. Syslog or auditd process execution records for 'cat', 'cut', 'id', 'groups', 'getent', 'who' commands. In environments with Sysmon for Linux: EventCode=1 process creation events for each command.
- Test 5Local Account Enumeration via query user and Security Event Trigger
Expected signal: Sysmon Event ID 1: Two process creation events with Image=C:\Windows\System32\query.exe and CommandLines 'query user' and 'query session'. Security Event ID 4688 if process creation auditing with command lines is enabled.
References (14)
- https://attack.mitre.org/techniques/T1087/001/
- https://linux.die.net/man/1/id
- https://linux.die.net/man/1/groups
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
- https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/net-user
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.trendmicro.com/en_us/research/20/e/tropic-trooper-s-back-usbferry-attack-targets-air-gapped-environments.html
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
- https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs
Unlock Pro Content
Get the full detection package for T1087.001 including response playbook, investigation guide, and atomic red team tests.