Detect Domain Account in CrowdStrike LogScale
Adversaries may attempt to get a listing of domain accounts to aid in follow-on behavior such as targeting accounts with specific privileges. Commands such as net user /domain and net group /domain, PowerShell cmdlets like Get-ADUser and Get-ADGroupMember, LDAP queries via ldapsearch or BoomBox-style programmatic enumeration, and tools like AdFind and CrackMapExec are commonly used. This information helps adversaries identify high-value targets such as domain administrators, service accounts, and privileged users.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1087 Account Discovery
- Sub-technique
- T1087.002 Domain Account
- Canonical reference
- https://attack.mitre.org/techniques/T1087/002/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(net\.exe|net1\.exe|powershell\.exe|pwsh\.exe|adfind\.exe|nltest\.exe|dsquery\.exe|ldifde\.exe|csvde\.exe|dsget\.exe|sharphound\.exe|bloodhound\.exe|crackmapexec\.exe|cme\.exe)$/
| CommandLine = /(?i)(/domain|domain admins|domain users|domain controllers|enterprise admins|schema admins|get-aduser|get-adgroupmember|get-adgroup|get-adcomputer|get-adobject|get-addomain|get-adforest|get-domainuser|get-domaingroupmember|get-domaingroup|get-netuser|get-netgroup|objectclass=user|samaccountname|useraccountcontrol)/
| EnumType := case {
ImageFileName = /(?i)(net\.exe|net1\.exe)$/ AND CommandLine = /(?i)user/ => "net user /domain" ,
ImageFileName = /(?i)(net\.exe|net1\.exe)$/ AND CommandLine = /(?i)group/ => "net group /domain" ,
ImageFileName = /(?i)(net\.exe|net1\.exe)$/ AND CommandLine = /(?i)accounts/ => "net accounts /domain" ,
ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/ AND CommandLine = /(?i)get-aduser/ => "Get-ADUser" ,
ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/ AND CommandLine = /(?i)get-adgroupmember/ => "Get-ADGroupMember" ,
ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/ AND CommandLine = /(?i)(get-domainuser|get-netuser)/ => "PowerView User Enum" ,
ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/ => "PowerShell AD Enum" ,
default => "AD Enumeration Tool"
}
| table([_timstamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, EnumType])
| sort(field=_timstamp, order=desc)CrowdStrike LogScale (Falcon) detection for domain account enumeration using ProcessRollup2 events. Targets net.exe and net1.exe with /domain-related arguments, PowerShell with Active Directory module and PowerView cmdlets, and known AD recon tooling (AdFind, BloodHound, SharpHound, nltest, dsquery, CrackMapExec). Classifies each match into a specific enumeration type for triage efficiency.
Data Sources
Required Tables
False Positives & Tuning
- System administrators using dsquery or dsget to inventory domain computers or organizational units during infrastructure change windows
- Group Policy management tools or MDM platforms invoking PowerShell Get-ADGroup or Get-ADComputer to validate policy scope targets
- Authorized red team or penetration testers running SharpHound or CrackMapExec during scheduled assessment periods
Other platforms for T1087.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Domain User Enumeration via net.exe
Expected signal: Sysmon Event ID 1: Process Create with Image ending in net.exe or net1.exe (Windows internally invokes net1.exe), CommandLine containing 'user /domain'. Security Event ID 4688 (if process command line auditing is enabled) with same details. Parent process will be cmd.exe or the calling shell.
- Test 2Domain Admin Group Enumeration via net.exe
Expected signal: Three separate Sysmon Event ID 1 entries, each with Image=net.exe or net1.exe, CommandLine containing 'group' and '/domain'. The rapid succession of three similar commands within seconds on the same host is a strong indicator. Security Event ID 4688 for each invocation if command line auditing is enabled.
- Test 3PowerShell Active Directory Module User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADUser' and '-Filter *'. PowerShell ScriptBlock Logging Event ID 4104 with the full command including filter and properties. Active Directory replication/query traffic from the host to the domain controller on LDAP port 389.
- Test 4PowerView Domain User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-DomainUser', 'IEX', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection to github.com or raw.githubusercontent.com. PowerShell ScriptBlock Logging Event ID 4104 with the IEX download cradle and Get-DomainUser call. Multiple LDAP queries to domain controllers captured in network traffic.
- Test 5nltest Domain Controller and Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Three process creation events for nltest.exe with CommandLine containing '/dclist:', '/domain_trusts', and '/user:Administrator' respectively. Security Event ID 4688 if command line auditing is enabled. nltest.exe is not commonly run by standard users, making any execution noteworthy.
References (11)
- https://attack.mitre.org/techniques/T1087/002/
- https://attack.mitre.org/techniques/T1087/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/net-user
- https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://www.mandiant.com/resources/blog/fin13-a-cybercriminal-threat-actor-focused-on-mexico
- https://www.cisa.gov/sites/default/files/publications/CISA_AA20-120A.pdf
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1087.002 including response playbook, investigation guide, and atomic red team tests.