Detect Domain Account in Google Chronicle
Adversaries may attempt to get a listing of domain accounts to aid in follow-on behavior such as targeting accounts with specific privileges. Commands such as net user /domain and net group /domain, PowerShell cmdlets like Get-ADUser and Get-ADGroupMember, LDAP queries via ldapsearch or BoomBox-style programmatic enumeration, and tools like AdFind and CrackMapExec are commonly used. This information helps adversaries identify high-value targets such as domain administrators, service accounts, and privileged users.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1087 Account Discovery
- Sub-technique
- T1087.002 Domain Account
- Canonical reference
- https://attack.mitre.org/techniques/T1087/002/
YARA-L Detection Query
rule T1087_002_domain_account_enumeration {
meta:
author = "Argus Detection Engineering"
description = "Detects domain account enumeration via net.exe /domain commands, PowerShell AD module and PowerView cmdlets, and known AD recon tools such as AdFind, BloodHound, SharpHound, nltest, dsquery, and CrackMapExec."
mitre_attack_technique = "T1087.002"
mitre_attack_tactic = "Discovery"
severity = "HIGH"
priority = "HIGH"
reference = "https://attack.mitre.org/techniques/T1087/002/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $hostname
(
// Net.exe domain enumeration
(
re.regex($e.target.process.file.full_path, `(?i)(net\.exe|net1\.exe)$`) and
(
re.regex($e.target.process.command_line, `(?i)/domain`) or
re.regex($e.target.process.command_line, `(?i)(domain admins|domain users|domain controllers|enterprise admins|schema admins)`)
)
)
or
// PowerShell AD module and PowerView cmdlets
(
re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`) and
re.regex($e.target.process.command_line, `(?i)(Get-ADUser|Get-ADGroupMember|Get-ADGroup|Get-ADComputer|Get-ADObject|Get-ADDomain|Get-ADForest|Get-DomainUser|Get-DomainGroupMember|Get-DomainGroup|Get-NetUser|Get-NetGroup)`)
)
or
// Known AD enumeration tools
re.regex($e.target.process.file.full_path, `(?i)(adfind\.exe|nltest\.exe|dsquery\.exe|ldifde\.exe|csvde\.exe|dsget\.exe|sharphound\.exe|bloodhound\.exe|crackmapexec\.exe|cme\.exe)$`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting domain account enumeration using UDM process launch events. Matches net.exe and net1.exe with /domain arguments, PowerShell with AD module or PowerView enumeration cmdlets, and execution of known AD reconnaissance tools. Fires on any single matching process launch event.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate use of nltest.exe by domain controllers or trust verification scripts during routine AD health checks
- BloodHound Community Edition used by internal red teams or authorized security assessments without prior alert suppression
- Enterprise onboarding automation using Get-ADComputer or Get-ADUser to verify provisioning completeness for new endpoints or users
Other platforms for T1087.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Domain User Enumeration via net.exe
Expected signal: Sysmon Event ID 1: Process Create with Image ending in net.exe or net1.exe (Windows internally invokes net1.exe), CommandLine containing 'user /domain'. Security Event ID 4688 (if process command line auditing is enabled) with same details. Parent process will be cmd.exe or the calling shell.
- Test 2Domain Admin Group Enumeration via net.exe
Expected signal: Three separate Sysmon Event ID 1 entries, each with Image=net.exe or net1.exe, CommandLine containing 'group' and '/domain'. The rapid succession of three similar commands within seconds on the same host is a strong indicator. Security Event ID 4688 for each invocation if command line auditing is enabled.
- Test 3PowerShell Active Directory Module User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADUser' and '-Filter *'. PowerShell ScriptBlock Logging Event ID 4104 with the full command including filter and properties. Active Directory replication/query traffic from the host to the domain controller on LDAP port 389.
- Test 4PowerView Domain User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-DomainUser', 'IEX', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection to github.com or raw.githubusercontent.com. PowerShell ScriptBlock Logging Event ID 4104 with the IEX download cradle and Get-DomainUser call. Multiple LDAP queries to domain controllers captured in network traffic.
- Test 5nltest Domain Controller and Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Three process creation events for nltest.exe with CommandLine containing '/dclist:', '/domain_trusts', and '/user:Administrator' respectively. Security Event ID 4688 if command line auditing is enabled. nltest.exe is not commonly run by standard users, making any execution noteworthy.
References (11)
- https://attack.mitre.org/techniques/T1087/002/
- https://attack.mitre.org/techniques/T1087/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/net-user
- https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://www.mandiant.com/resources/blog/fin13-a-cybercriminal-threat-actor-focused-on-mexico
- https://www.cisa.gov/sites/default/files/publications/CISA_AA20-120A.pdf
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1087.002 including response playbook, investigation guide, and atomic red team tests.