T1087.002 Elastic Security · Elastic

Detect Domain Account in Elastic Security

Adversaries may attempt to get a listing of domain accounts to aid in follow-on behavior such as targeting accounts with specific privileges. Commands such as net user /domain and net group /domain, PowerShell cmdlets like Get-ADUser and Get-ADGroupMember, LDAP queries via ldapsearch or BoomBox-style programmatic enumeration, and tools like AdFind and CrackMapExec are commonly used. This information helps adversaries identify high-value targets such as domain administrators, service accounts, and privileged users.

MITRE ATT&CK

Tactic
Discovery
Technique
T1087 Account Discovery
Sub-technique
T1087.002 Domain Account
Canonical reference
https://attack.mitre.org/techniques/T1087/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=5m
  [process where event.type == "start" and (
    (
      process.name in~ ("net.exe", "net1.exe") and
      process.args : ("/domain", "domain admins", "domain users", "domain controllers", "enterprise admins", "schema admins")
    ) or
    (
      process.name in~ ("powershell.exe", "pwsh.exe") and
      process.command_line : ("*Get-ADUser*", "*Get-ADGroupMember*", "*Get-ADGroup*", "*Get-ADComputer*", "*Get-ADObject*", "*Get-ADDomain*", "*Get-ADForest*", "*Get-DomainUser*", "*Get-DomainGroupMember*", "*Get-DomainGroup*", "*Get-NetUser*", "*Get-NetGroup*")
    ) or
    (
      process.name in~ ("adfind.exe", "nltest.exe", "dsquery.exe", "ldifde.exe", "csvde.exe", "dsget.exe", "crackmapexec.exe", "cme.exe", "bloodhound.exe", "sharphound.exe") and
      process.command_line : ("*user*", "*group*", "*objectclass*", "*samaccountname*", "*domain*", "*ldap*")
    )
  )] by process.entity_id
high severity high confidence

Detects domain account enumeration via net.exe /domain commands, PowerShell Active Directory module cmdlets (Get-ADUser, Get-ADGroupMember, PowerView equivalents), and known AD reconnaissance tools such as AdFind, BloodHound, SharpHound, nltest, dsquery, and CrackMapExec. Sequences are correlated per host within a 5-minute window.

Data Sources

Elastic EndpointAuditbeatWinlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-*winlogbeat-*auditbeat-*

False Positives & Tuning

  • IT administrators running legitimate AD audits or user management scripts using Get-ADUser or dsquery
  • Automated provisioning systems or identity governance tools that enumerate domain groups and users as part of lifecycle management
  • Security scanning tools or vulnerability management platforms (e.g., Tenable, Qualys) that perform AD enumeration as part of asset inventory
Download portable Sigma rule (.yml)

Other platforms for T1087.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Domain User Enumeration via net.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in net.exe or net1.exe (Windows internally invokes net1.exe), CommandLine containing 'user /domain'. Security Event ID 4688 (if process command line auditing is enabled) with same details. Parent process will be cmd.exe or the calling shell.

  2. Test 2Domain Admin Group Enumeration via net.exe

    Expected signal: Three separate Sysmon Event ID 1 entries, each with Image=net.exe or net1.exe, CommandLine containing 'group' and '/domain'. The rapid succession of three similar commands within seconds on the same host is a strong indicator. Security Event ID 4688 for each invocation if command line auditing is enabled.

  3. Test 3PowerShell Active Directory Module User Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADUser' and '-Filter *'. PowerShell ScriptBlock Logging Event ID 4104 with the full command including filter and properties. Active Directory replication/query traffic from the host to the domain controller on LDAP port 389.

  4. Test 4PowerView Domain User Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-DomainUser', 'IEX', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection to github.com or raw.githubusercontent.com. PowerShell ScriptBlock Logging Event ID 4104 with the IEX download cradle and Get-DomainUser call. Multiple LDAP queries to domain controllers captured in network traffic.

  5. Test 5nltest Domain Controller and Domain Trust Enumeration

    Expected signal: Sysmon Event ID 1: Three process creation events for nltest.exe with CommandLine containing '/dclist:', '/domain_trusts', and '/user:Administrator' respectively. Security Event ID 4688 if command line auditing is enabled. nltest.exe is not commonly run by standard users, making any execution noteworthy.

Last updated: 2026-04-18 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1087.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1087Account Discovery

Related Sub-techniques

T1087.001Local AccountT1087.003Email AccountT1087.004Cloud Account

Related Techniques

T1087Account DiscoveryT1087.001Local AccountT1069.002Domain GroupsT1018Remote System DiscoveryT1078.002Domain AccountsT1021.002SMB/Windows Admin SharesT1059.001PowerShellT1110.003Password SprayingT1558.003Kerberoasting

Same Tactic: Discovery

Popular Detections