Detect Domain Account in Microsoft Sentinel
Adversaries may attempt to get a listing of domain accounts to aid in follow-on behavior such as targeting accounts with specific privileges. Commands such as net user /domain and net group /domain, PowerShell cmdlets like Get-ADUser and Get-ADGroupMember, LDAP queries via ldapsearch or BoomBox-style programmatic enumeration, and tools like AdFind and CrackMapExec are commonly used. This information helps adversaries identify high-value targets such as domain administrators, service accounts, and privileged users.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1087 Account Discovery
- Sub-technique
- T1087.002 Domain Account
- Canonical reference
- https://attack.mitre.org/techniques/T1087/002/
KQL Detection Query
let DomainEnumProcesses = dynamic(["net.exe", "net1.exe"]);
let ADToolNames = dynamic(["adfind.exe", "adfind", "nltest.exe", "dsquery.exe", "ldifde.exe", "csvde.exe", "dsget.exe", "crackmapexec.exe", "cme.exe", "bloodhound.exe", "sharphound.exe"]);
let DomainEnumArgs = dynamic(["/domain", "domain admins", "domain users", "domain controllers", "enterprise admins", "schema admins", "get-aduser", "get-adgroupmember", "get-adgroup", "get-adcomputer", "samaccountname", "distinguishedname"]);
let LDAPQueryPatterns = dynamic(["ldap://", "ldap:\\\\", "objectclass=user", "objectclass=person", "samaccounttype", "useraccountcontrol"]);
// Detect net.exe and net1.exe domain account enumeration
let NetDomainEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (DomainEnumProcesses)
| where ProcessCommandLine has_any ("/domain", "domain admins", "domain users", "domain controllers", "enterprise admins")
| extend EnumType = case(
ProcessCommandLine has "user" and ProcessCommandLine has "/domain", "net user /domain",
ProcessCommandLine has "group" and ProcessCommandLine has "/domain", "net group /domain",
ProcessCommandLine has "accounts" and ProcessCommandLine has "/domain", "net accounts /domain",
"net /domain other"
)
| extend TechniqueSource = "net.exe";
// Detect PowerShell AD module usage
let PSADEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Get-ADUser", "Get-ADGroupMember", "Get-ADGroup", "Get-ADComputer", "Get-ADObject", "Get-ADDomain", "Get-ADForest", "Get-DomainUser", "Get-DomainGroupMember", "Get-DomainGroup", "Get-NetUser", "Get-NetGroup")
| extend EnumType = case(
ProcessCommandLine has "Get-ADUser", "Get-ADUser",
ProcessCommandLine has "Get-ADGroupMember", "Get-ADGroupMember",
ProcessCommandLine has "Get-DomainUser", "Get-DomainUser (PowerView)",
ProcessCommandLine has "Get-NetUser", "Get-NetUser (PowerView)",
"PowerShell AD Enum"
)
| extend TechniqueSource = "PowerShell";
// Detect known AD enumeration tools
let ADToolEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ADToolNames) or InitiatingProcessFileName has_any (ADToolNames)
| where ProcessCommandLine has_any ("user", "group", "objectclass", "samaccountname", "domain", "ldap")
| extend EnumType = "AD Enumeration Tool"
| extend TechniqueSource = FileName;
// Combine results
union NetDomainEnum, PSADEnum, ADToolEnum
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, EnumType, TechniqueSource
| sort by Timestamp descDetects domain account enumeration activity using Microsoft Defender for Endpoint DeviceProcessEvents. Covers three primary vectors: (1) net.exe / net1.exe commands with /domain flag enumerating users, groups, or accounts; (2) PowerShell cmdlets from the ActiveDirectory module and PowerView/PowerSploit functions like Get-ADUser, Get-ADGroupMember, Get-DomainUser, Get-NetUser; (3) known AD enumeration tools such as AdFind, SharpHound, BloodHound, nltest, dsquery, ldifde, and CrackMapExec. Uses union across three sub-queries to provide full coverage.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators legitimately running net user /domain or net group /domain commands during troubleshooting or account management tasks
- Helpdesk staff using Get-ADUser or Get-ADGroupMember in PowerShell for user management operations
- Monitoring and identity governance tools (e.g., SailPoint, Varonis, CyberArk) that periodically enumerate AD accounts as part of access reviews
- HR or provisioning automation scripts that enumerate domain groups when onboarding or offboarding users
- Domain controller health check scripts or scheduled tasks that enumerate accounts as part of routine auditing
Other platforms for T1087.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Domain User Enumeration via net.exe
Expected signal: Sysmon Event ID 1: Process Create with Image ending in net.exe or net1.exe (Windows internally invokes net1.exe), CommandLine containing 'user /domain'. Security Event ID 4688 (if process command line auditing is enabled) with same details. Parent process will be cmd.exe or the calling shell.
- Test 2Domain Admin Group Enumeration via net.exe
Expected signal: Three separate Sysmon Event ID 1 entries, each with Image=net.exe or net1.exe, CommandLine containing 'group' and '/domain'. The rapid succession of three similar commands within seconds on the same host is a strong indicator. Security Event ID 4688 for each invocation if command line auditing is enabled.
- Test 3PowerShell Active Directory Module User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADUser' and '-Filter *'. PowerShell ScriptBlock Logging Event ID 4104 with the full command including filter and properties. Active Directory replication/query traffic from the host to the domain controller on LDAP port 389.
- Test 4PowerView Domain User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-DomainUser', 'IEX', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection to github.com or raw.githubusercontent.com. PowerShell ScriptBlock Logging Event ID 4104 with the IEX download cradle and Get-DomainUser call. Multiple LDAP queries to domain controllers captured in network traffic.
- Test 5nltest Domain Controller and Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Three process creation events for nltest.exe with CommandLine containing '/dclist:', '/domain_trusts', and '/user:Administrator' respectively. Security Event ID 4688 if command line auditing is enabled. nltest.exe is not commonly run by standard users, making any execution noteworthy.
References (11)
- https://attack.mitre.org/techniques/T1087/002/
- https://attack.mitre.org/techniques/T1087/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/net-user
- https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://www.mandiant.com/resources/blog/fin13-a-cybercriminal-threat-actor-focused-on-mexico
- https://www.cisa.gov/sites/default/files/publications/CISA_AA20-120A.pdf
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1087.002 including response playbook, investigation guide, and atomic red team tests.