T1087.002

Domain Account

Adversaries may attempt to get a listing of domain accounts to aid in follow-on behavior such as targeting accounts with specific privileges. Commands such as net user /domain and net group /domain, PowerShell cmdlets like Get-ADUser and Get-ADGroupMember, LDAP queries via ldapsearch or BoomBox-style programmatic enumeration, and tools like AdFind and CrackMapExec are commonly used. This information helps adversaries identify high-value targets such as domain administrators, service accounts, and privileged users.

Microsoft Sentinel / Defender

kusto

let DomainEnumProcesses = dynamic(["net.exe", "net1.exe"]);
let ADToolNames = dynamic(["adfind.exe", "adfind", "nltest.exe", "dsquery.exe", "ldifde.exe", "csvde.exe", "dsget.exe", "crackmapexec.exe", "cme.exe", "bloodhound.exe", "sharphound.exe"]);
let DomainEnumArgs = dynamic(["/domain", "domain admins", "domain users", "domain controllers", "enterprise admins", "schema admins", "get-aduser", "get-adgroupmember", "get-adgroup", "get-adcomputer", "samaccountname", "distinguishedname"]);
let LDAPQueryPatterns = dynamic(["ldap://", "ldap:\\\\", "objectclass=user", "objectclass=person", "samaccounttype", "useraccountcontrol"]);
// Detect net.exe and net1.exe domain account enumeration
let NetDomainEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (DomainEnumProcesses)
| where ProcessCommandLine has_any ("/domain", "domain admins", "domain users", "domain controllers", "enterprise admins")
| extend EnumType = case(
    ProcessCommandLine has "user" and ProcessCommandLine has "/domain", "net user /domain",
    ProcessCommandLine has "group" and ProcessCommandLine has "/domain", "net group /domain",
    ProcessCommandLine has "accounts" and ProcessCommandLine has "/domain", "net accounts /domain",
    "net /domain other"
  )
| extend TechniqueSource = "net.exe";
// Detect PowerShell AD module usage
let PSADEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Get-ADUser", "Get-ADGroupMember", "Get-ADGroup", "Get-ADComputer", "Get-ADObject", "Get-ADDomain", "Get-ADForest", "Get-DomainUser", "Get-DomainGroupMember", "Get-DomainGroup", "Get-NetUser", "Get-NetGroup")
| extend EnumType = case(
    ProcessCommandLine has "Get-ADUser", "Get-ADUser",
    ProcessCommandLine has "Get-ADGroupMember", "Get-ADGroupMember",
    ProcessCommandLine has "Get-DomainUser", "Get-DomainUser (PowerView)",
    ProcessCommandLine has "Get-NetUser", "Get-NetUser (PowerView)",
    "PowerShell AD Enum"
  )
| extend TechniqueSource = "PowerShell";
// Detect known AD enumeration tools
let ADToolEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ADToolNames) or InitiatingProcessFileName has_any (ADToolNames)
| where ProcessCommandLine has_any ("user", "group", "objectclass", "samaccountname", "domain", "ldap")
| extend EnumType = "AD Enumeration Tool"
| extend TechniqueSource = FileName;
// Combine results
union NetDomainEnum, PSADEnum, ADToolEnum
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, EnumType, TechniqueSource
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators legitimately running net user /domain or net group /domain commands during troubleshooting or account management tasks
Helpdesk staff using Get-ADUser or Get-ADGroupMember in PowerShell for user management operations
Monitoring and identity governance tools (e.g., SailPoint, Varonis, CyberArk) that periodically enumerate AD accounts as part of access reviews
HR or provisioning automation scripts that enumerate domain groups when onboarding or offboarding users
Domain controller health check scripts or scheduled tasks that enumerate accounts as part of routine auditing

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, lower(ProcessCommandLine))
| eval CommandLine=lower(CommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval User=coalesce(User, SubjectUserName)
| eval host=coalesce(host, ComputerName)
| eval IsNetDomainEnum=if(
    (match(Image, "(net\.exe|net1\.exe)$") AND match(CommandLine, "(/domain|domain admins|domain users|domain controllers|enterprise admins|schema admins)")),
    1, 0)
| eval IsPSADEnum=if(
    (match(Image, "(powershell\.exe|pwsh\.exe)$") AND match(CommandLine, "(get-aduser|get-adgroupmember|get-adgroup|get-adcomputer|get-adobject|get-adomain|get-adforest|get-domainuser|get-domaingroupmember|get-domaingroup|get-netuser|get-netgroup)")),
    1, 0)
| eval IsADTool=if(
    match(Image, "(adfind\.exe|nltest\.exe|dsquery\.exe|ldifde\.exe|csvde\.exe|dsget\.exe|sharphound\.exe|bloodhound\.exe|crackmapexec\.exe|cme\.exe)$"),
    1, 0)
| eval EnumType=case(
    IsNetDomainEnum=1 AND match(CommandLine, "user"), "net user /domain",
    IsNetDomainEnum=1 AND match(CommandLine, "group"), "net group /domain",
    IsNetDomainEnum=1 AND match(CommandLine, "accounts"), "net accounts /domain",
    IsNetDomainEnum=1, "net /domain enum",
    IsPSADEnum=1 AND match(CommandLine, "get-aduser"), "Get-ADUser",
    IsPSADEnum=1 AND match(CommandLine, "get-adgroupmember"), "Get-ADGroupMember",
    IsPSADEnum=1 AND match(CommandLine, "get-domainuser|get-netuser"), "PowerView User Enum",
    IsPSADEnum=1, "PowerShell AD Enum",
    IsADTool=1, "AD Enumeration Tool",
    true(), "Unknown")
| where IsNetDomainEnum=1 OR IsPSADEnum=1 OR IsADTool=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, EnumType, IsNetDomainEnum, IsPSADEnum, IsADTool
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators legitimately running net user /domain or net group /domain commands during troubleshooting or account management tasks
Helpdesk staff using Get-ADUser or Get-ADGroupMember in PowerShell for user management operations
Monitoring and identity governance tools (e.g., SailPoint, Varonis, CyberArk) that periodically enumerate AD accounts as part of access reviews
HR or provisioning automation scripts that enumerate domain groups when onboarding or offboarding users
Domain controller health check scripts or scheduled tasks that enumerate accounts as part of routine auditing

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "ProcessImage" AS process_image,
  "CommandLine" AS command_line,
  "ParentProcessImage" AS parent_image,
  CASE
    WHEN LOWER("ProcessImage") LIKE '%net.exe' AND LOWER("CommandLine") LIKE '%/domain%' AND LOWER("CommandLine") LIKE '%user%' THEN 'net user /domain'
    WHEN LOWER("ProcessImage") LIKE '%net.exe' AND LOWER("CommandLine") LIKE '%/domain%' AND LOWER("CommandLine") LIKE '%group%' THEN 'net group /domain'
    WHEN LOWER("ProcessImage") LIKE '%net.exe' AND LOWER("CommandLine") LIKE '%/domain%' AND LOWER("CommandLine") LIKE '%accounts%' THEN 'net accounts /domain'
    WHEN LOWER("ProcessImage") LIKE '%powershell%' AND REGEXP_MATCH(LOWER("CommandLine"), '(get-aduser|get-adgroupmember|get-adgroup|get-adcomputer|get-adomain|get-adforest|get-domainuser|get-netuser|get-netgroup)') THEN 'PowerShell AD Enumeration'
    WHEN REGEXP_MATCH(LOWER("ProcessImage"), '(adfind|nltest|dsquery|ldifde|csvde|dsget|sharphound|bloodhound|crackmapexec|cme)\.exe') THEN 'AD Enumeration Tool'
    ELSE 'Domain Enum - Other'
  END AS enum_type,
  qidname(qid) AS event_name,
  categoryname(category) AS category
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 52, 369, 382)
  AND starttime > DATEADD('hour', -24, NOW())
  AND (
    (
      (LOWER("ProcessImage") LIKE '%net.exe' OR LOWER("ProcessImage") LIKE '%net1.exe')
      AND (
        LOWER("CommandLine") LIKE '%/domain%'
        OR LOWER("CommandLine") LIKE '%domain admins%'
        OR LOWER("CommandLine") LIKE '%domain users%'
        OR LOWER("CommandLine") LIKE '%enterprise admins%'
      )
    )
    OR (
      (LOWER("ProcessImage") LIKE '%powershell.exe' OR LOWER("ProcessImage") LIKE '%pwsh.exe')
      AND REGEXP_MATCH(LOWER("CommandLine"), '(get-aduser|get-adgroupmember|get-adgroup|get-adcomputer|get-adobject|get-adomain|get-adforest|get-domainuser|get-domaingroupmember|get-domaingroup|get-netuser|get-netgroup)')
    )
    OR REGEXP_MATCH(LOWER("ProcessImage"), '(adfind|nltest|dsquery|ldifde|csvde|dsget|sharphound|bloodhound|crackmapexec|cme)\.exe')
  )
ORDER BY starttime DESC

high severity high confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via Windows Event Log QRadar DSMs for Windows

Required Tables

events

False Positives

Helpdesk or IT operations staff running net user /domain for routine account verification or password reset workflows
Scheduled AD synchronization tasks run by identity management solutions (e.g., Azure AD Connect, Okta AD Agent, SailPoint) that invoke PowerShell AD cmdlets
Penetration testing or red team exercises using BloodHound or AdFind with explicit authorization

Sumo Logic CSE

sql

_sourceCategory="windows/*" (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="WinEventLog:Security" EventCode=4688)
| parse field=_raw "<Image>*</Image>" as process_image nodrop
| parse field=_raw "<CommandLine>*</CommandLine>" as command_line nodrop
| parse field=_raw "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse field=_raw "<User>*</User>" as user nodrop
| parse field=_raw "NewProcessName=\"*\"" as process_image_sec nodrop
| parse field=_raw "CommandLine=\"*\"" as command_line_sec nodrop
| parse field=_raw "SubjectUserName=\"*\"" as user_sec nodrop
| if (isNull(process_image), process_image_sec, process_image) as process_image
| if (isNull(command_line), command_line_sec, command_line) as command_line
| if (isNull(user), user_sec, user) as user
| toLowerCase(process_image) as proc_lower
| toLowerCase(command_line) as cmd_lower
| where (
    (proc_lower matches "*net.exe" OR proc_lower matches "*net1.exe")
    AND (
      cmd_lower matches "*/domain*"
      OR cmd_lower contains "domain admins"
      OR cmd_lower contains "domain users"
      OR cmd_lower contains "enterprise admins"
      OR cmd_lower contains "schema admins"
    )
  )
  OR (
    (proc_lower matches "*powershell.exe" OR proc_lower matches "*pwsh.exe")
    AND (
      cmd_lower contains "get-aduser"
      OR cmd_lower contains "get-adgroupmember"
      OR cmd_lower contains "get-adgroup"
      OR cmd_lower contains "get-adcomputer"
      OR cmd_lower contains "get-adobject"
      OR cmd_lower contains "get-addomain"
      OR cmd_lower contains "get-adforest"
      OR cmd_lower contains "get-domainuser"
      OR cmd_lower contains "get-domaingroupmember"
      OR cmd_lower contains "get-domaingroup"
      OR cmd_lower contains "get-netuser"
      OR cmd_lower contains "get-netgroup"
    )
  )
  OR (
    proc_lower matches "*adfind.exe"
    OR proc_lower matches "*nltest.exe"
    OR proc_lower matches "*dsquery.exe"
    OR proc_lower matches "*ldifde.exe"
    OR proc_lower matches "*csvde.exe"
    OR proc_lower matches "*dsget.exe"
    OR proc_lower matches "*sharphound.exe"
    OR proc_lower matches "*bloodhound.exe"
    OR proc_lower matches "*crackmapexec.exe"
    OR proc_lower matches "*cme.exe"
  )
| if (proc_lower matches "*net*.exe" AND cmd_lower contains "user", "net user /domain",
    if (proc_lower matches "*net*.exe" AND cmd_lower contains "group", "net group /domain",
      if (proc_lower matches "*powershell*" AND cmd_lower contains "get-aduser", "Get-ADUser",
        if (proc_lower matches "*powershell*" AND (cmd_lower contains "get-domainuser" OR cmd_lower contains "get-netuser"), "PowerView User Enum",
          if (proc_lower matches "*powershell*", "PowerShell AD Enum",
            "AD Enumeration Tool"
          )
        )
      )
    )
  ) as enum_type
| table _time, _sourceHost, user, process_image, command_line, parent_image, enum_type
| sort by _time desc

high severity high confidence

Data Sources

Windows Security Event Log (EventCode 4688) Sysmon Operational Log (EventCode 1) Sumo Logic Windows collector

Required Tables

_sourceCategory=windows/*

False Positives

Domain administrators using dsquery or csvde for bulk user exports during migrations or audits
IT automation scripts using PowerShell AD module cmdlets for routine group membership reporting or access reviews
Security operations center tools or SIEM connectors that enumerate AD users and groups for user entity behavior analytics (UEBA) baseline building

Google Chronicle / SecOps

yaral

rule T1087_002_domain_account_enumeration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects domain account enumeration via net.exe /domain commands, PowerShell AD module and PowerView cmdlets, and known AD recon tools such as AdFind, BloodHound, SharpHound, nltest, dsquery, and CrackMapExec."
    mitre_attack_technique = "T1087.002"
    mitre_attack_tactic = "Discovery"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1087/002/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname

    (
      // Net.exe domain enumeration
      (
        re.regex($e.target.process.file.full_path, `(?i)(net\.exe|net1\.exe)$`) and
        (
          re.regex($e.target.process.command_line, `(?i)/domain`) or
          re.regex($e.target.process.command_line, `(?i)(domain admins|domain users|domain controllers|enterprise admins|schema admins)`)
        )
      )
      or
      // PowerShell AD module and PowerView cmdlets
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)(Get-ADUser|Get-ADGroupMember|Get-ADGroup|Get-ADComputer|Get-ADObject|Get-ADDomain|Get-ADForest|Get-DomainUser|Get-DomainGroupMember|Get-DomainGroup|Get-NetUser|Get-NetGroup)`)
      )
      or
      // Known AD enumeration tools
      re.regex($e.target.process.file.full_path, `(?i)(adfind\.exe|nltest\.exe|dsquery\.exe|ldifde\.exe|csvde\.exe|dsget\.exe|sharphound\.exe|bloodhound\.exe|crackmapexec\.exe|cme\.exe)$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle via Windows Forwarding Chronicle UDM enriched process events Windows Event Log ingestion via Chronicle SIEM

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Legitimate use of nltest.exe by domain controllers or trust verification scripts during routine AD health checks
BloodHound Community Edition used by internal red teams or authorized security assessments without prior alert suppression
Enterprise onboarding automation using Get-ADComputer or Get-ADUser to verify provisioning completeness for new endpoints or users

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(net\.exe|net1\.exe|powershell\.exe|pwsh\.exe|adfind\.exe|nltest\.exe|dsquery\.exe|ldifde\.exe|csvde\.exe|dsget\.exe|sharphound\.exe|bloodhound\.exe|crackmapexec\.exe|cme\.exe)$/
| CommandLine = /(?i)(/domain|domain admins|domain users|domain controllers|enterprise admins|schema admins|get-aduser|get-adgroupmember|get-adgroup|get-adcomputer|get-adobject|get-addomain|get-adforest|get-domainuser|get-domaingroupmember|get-domaingroup|get-netuser|get-netgroup|objectclass=user|samaccountname|useraccountcontrol)/
| EnumType := case {
    ImageFileName = /(?i)(net\.exe|net1\.exe)$/ AND CommandLine = /(?i)user/ => "net user /domain" ,
    ImageFileName = /(?i)(net\.exe|net1\.exe)$/ AND CommandLine = /(?i)group/ => "net group /domain" ,
    ImageFileName = /(?i)(net\.exe|net1\.exe)$/ AND CommandLine = /(?i)accounts/ => "net accounts /domain" ,
    ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/ AND CommandLine = /(?i)get-aduser/ => "Get-ADUser" ,
    ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/ AND CommandLine = /(?i)get-adgroupmember/ => "Get-ADGroupMember" ,
    ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/ AND CommandLine = /(?i)(get-domainuser|get-netuser)/ => "PowerView User Enum" ,
    ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/ => "PowerShell AD Enum" ,
    default => "AD Enumeration Tool"
  }
| table([_timstamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, EnumType])
| sort(field=_timstamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 telemetry Falcon Complete or Falcon Insight

Required Tables

ProcessRollup2

False Positives

System administrators using dsquery or dsget to inventory domain computers or organizational units during infrastructure change windows
Group Policy management tools or MDM platforms invoking PowerShell Get-ADGroup or Get-ADComputer to validate policy scope targets
Authorized red team or penetration testers running SharpHound or CrackMapExec during scheduled assessment periods

Last updated: 2026-04-18 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1087.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Domain Account

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Discovery

Popular Detections