T1087.002 IBM QRadar · QRadar

Detect Domain Account in IBM QRadar

Adversaries may attempt to get a listing of domain accounts to aid in follow-on behavior such as targeting accounts with specific privileges. Commands such as net user /domain and net group /domain, PowerShell cmdlets like Get-ADUser and Get-ADGroupMember, LDAP queries via ldapsearch or BoomBox-style programmatic enumeration, and tools like AdFind and CrackMapExec are commonly used. This information helps adversaries identify high-value targets such as domain administrators, service accounts, and privileged users.

MITRE ATT&CK

Tactic
Discovery
Technique
T1087 Account Discovery
Sub-technique
T1087.002 Domain Account
Canonical reference
https://attack.mitre.org/techniques/T1087/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "ProcessImage" AS process_image,
  "CommandLine" AS command_line,
  "ParentProcessImage" AS parent_image,
  CASE
    WHEN LOWER("ProcessImage") LIKE '%net.exe' AND LOWER("CommandLine") LIKE '%/domain%' AND LOWER("CommandLine") LIKE '%user%' THEN 'net user /domain'
    WHEN LOWER("ProcessImage") LIKE '%net.exe' AND LOWER("CommandLine") LIKE '%/domain%' AND LOWER("CommandLine") LIKE '%group%' THEN 'net group /domain'
    WHEN LOWER("ProcessImage") LIKE '%net.exe' AND LOWER("CommandLine") LIKE '%/domain%' AND LOWER("CommandLine") LIKE '%accounts%' THEN 'net accounts /domain'
    WHEN LOWER("ProcessImage") LIKE '%powershell%' AND REGEXP_MATCH(LOWER("CommandLine"), '(get-aduser|get-adgroupmember|get-adgroup|get-adcomputer|get-adomain|get-adforest|get-domainuser|get-netuser|get-netgroup)') THEN 'PowerShell AD Enumeration'
    WHEN REGEXP_MATCH(LOWER("ProcessImage"), '(adfind|nltest|dsquery|ldifde|csvde|dsget|sharphound|bloodhound|crackmapexec|cme)\.exe') THEN 'AD Enumeration Tool'
    ELSE 'Domain Enum - Other'
  END AS enum_type,
  qidname(qid) AS event_name,
  categoryname(category) AS category
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 52, 369, 382)
  AND starttime > DATEADD('hour', -24, NOW())
  AND (
    (
      (LOWER("ProcessImage") LIKE '%net.exe' OR LOWER("ProcessImage") LIKE '%net1.exe')
      AND (
        LOWER("CommandLine") LIKE '%/domain%'
        OR LOWER("CommandLine") LIKE '%domain admins%'
        OR LOWER("CommandLine") LIKE '%domain users%'
        OR LOWER("CommandLine") LIKE '%enterprise admins%'
      )
    )
    OR (
      (LOWER("ProcessImage") LIKE '%powershell.exe' OR LOWER("ProcessImage") LIKE '%pwsh.exe')
      AND REGEXP_MATCH(LOWER("CommandLine"), '(get-aduser|get-adgroupmember|get-adgroup|get-adcomputer|get-adobject|get-adomain|get-adforest|get-domainuser|get-domaingroupmember|get-domaingroup|get-netuser|get-netgroup)')
    )
    OR REGEXP_MATCH(LOWER("ProcessImage"), '(adfind|nltest|dsquery|ldifde|csvde|dsget|sharphound|bloodhound|crackmapexec|cme)\.exe')
  )
ORDER BY starttime DESC
high severity high confidence

QRadar AQL detection for domain account enumeration targeting Windows Security event logs and Sysmon process creation events. Detects net.exe /domain usage, PowerShell AD module and PowerView cmdlets, and known AD enumeration tooling including AdFind, BloodHound, SharpHound, nltest, dsquery, and CrackMapExec.

Data Sources

Microsoft Windows Security Event LogSysmon via Windows Event LogQRadar DSMs for Windows

Required Tables

events

False Positives & Tuning

  • Helpdesk or IT operations staff running net user /domain for routine account verification or password reset workflows
  • Scheduled AD synchronization tasks run by identity management solutions (e.g., Azure AD Connect, Okta AD Agent, SailPoint) that invoke PowerShell AD cmdlets
  • Penetration testing or red team exercises using BloodHound or AdFind with explicit authorization
Download portable Sigma rule (.yml)

Other platforms for T1087.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Domain User Enumeration via net.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in net.exe or net1.exe (Windows internally invokes net1.exe), CommandLine containing 'user /domain'. Security Event ID 4688 (if process command line auditing is enabled) with same details. Parent process will be cmd.exe or the calling shell.

  2. Test 2Domain Admin Group Enumeration via net.exe

    Expected signal: Three separate Sysmon Event ID 1 entries, each with Image=net.exe or net1.exe, CommandLine containing 'group' and '/domain'. The rapid succession of three similar commands within seconds on the same host is a strong indicator. Security Event ID 4688 for each invocation if command line auditing is enabled.

  3. Test 3PowerShell Active Directory Module User Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADUser' and '-Filter *'. PowerShell ScriptBlock Logging Event ID 4104 with the full command including filter and properties. Active Directory replication/query traffic from the host to the domain controller on LDAP port 389.

  4. Test 4PowerView Domain User Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-DomainUser', 'IEX', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection to github.com or raw.githubusercontent.com. PowerShell ScriptBlock Logging Event ID 4104 with the IEX download cradle and Get-DomainUser call. Multiple LDAP queries to domain controllers captured in network traffic.

  5. Test 5nltest Domain Controller and Domain Trust Enumeration

    Expected signal: Sysmon Event ID 1: Three process creation events for nltest.exe with CommandLine containing '/dclist:', '/domain_trusts', and '/user:Administrator' respectively. Security Event ID 4688 if command line auditing is enabled. nltest.exe is not commonly run by standard users, making any execution noteworthy.

Last updated: 2026-04-18 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1087.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1087Account Discovery

Related Sub-techniques

T1087.001Local AccountT1087.003Email AccountT1087.004Cloud Account

Related Techniques

T1087Account DiscoveryT1087.001Local AccountT1069.002Domain GroupsT1018Remote System DiscoveryT1078.002Domain AccountsT1021.002SMB/Windows Admin SharesT1059.001PowerShellT1110.003Password SprayingT1558.003Kerberoasting

Same Tactic: Discovery

Popular Detections