T1087.002 Splunk · SPL

Detect Domain Account in Splunk

Adversaries may attempt to get a listing of domain accounts to aid in follow-on behavior such as targeting accounts with specific privileges. Commands such as net user /domain and net group /domain, PowerShell cmdlets like Get-ADUser and Get-ADGroupMember, LDAP queries via ldapsearch or BoomBox-style programmatic enumeration, and tools like AdFind and CrackMapExec are commonly used. This information helps adversaries identify high-value targets such as domain administrators, service accounts, and privileged users.

MITRE ATT&CK

Tactic
Discovery
Technique
T1087 Account Discovery
Sub-technique
T1087.002 Domain Account
Canonical reference
https://attack.mitre.org/techniques/T1087/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, lower(ProcessCommandLine))
| eval CommandLine=lower(CommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval User=coalesce(User, SubjectUserName)
| eval host=coalesce(host, ComputerName)
| eval IsNetDomainEnum=if(
    (match(Image, "(net\.exe|net1\.exe)$") AND match(CommandLine, "(/domain|domain admins|domain users|domain controllers|enterprise admins|schema admins)")),
    1, 0)
| eval IsPSADEnum=if(
    (match(Image, "(powershell\.exe|pwsh\.exe)$") AND match(CommandLine, "(get-aduser|get-adgroupmember|get-adgroup|get-adcomputer|get-adobject|get-adomain|get-adforest|get-domainuser|get-domaingroupmember|get-domaingroup|get-netuser|get-netgroup)")),
    1, 0)
| eval IsADTool=if(
    match(Image, "(adfind\.exe|nltest\.exe|dsquery\.exe|ldifde\.exe|csvde\.exe|dsget\.exe|sharphound\.exe|bloodhound\.exe|crackmapexec\.exe|cme\.exe)$"),
    1, 0)
| eval EnumType=case(
    IsNetDomainEnum=1 AND match(CommandLine, "user"), "net user /domain",
    IsNetDomainEnum=1 AND match(CommandLine, "group"), "net group /domain",
    IsNetDomainEnum=1 AND match(CommandLine, "accounts"), "net accounts /domain",
    IsNetDomainEnum=1, "net /domain enum",
    IsPSADEnum=1 AND match(CommandLine, "get-aduser"), "Get-ADUser",
    IsPSADEnum=1 AND match(CommandLine, "get-adgroupmember"), "Get-ADGroupMember",
    IsPSADEnum=1 AND match(CommandLine, "get-domainuser|get-netuser"), "PowerView User Enum",
    IsPSADEnum=1, "PowerShell AD Enum",
    IsADTool=1, "AD Enumeration Tool",
    true(), "Unknown")
| where IsNetDomainEnum=1 OR IsPSADEnum=1 OR IsADTool=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, EnumType, IsNetDomainEnum, IsPSADEnum, IsADTool
| sort - _time
medium severity high confidence

Detects domain account enumeration using Sysmon Event ID 1 (Process Creation) and Security Event ID 4688 (Process Creation with command line auditing). Identifies three attack vectors: net.exe/net1.exe with /domain flags, PowerShell ActiveDirectory module and PowerView cmdlets, and dedicated AD enumeration tools (AdFind, SharpHound, BloodHound, nltest, dsquery). Uses coalesce to handle both Sysmon and Security event field naming differences. Classifies findings by enumeration type for analyst triage.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • IT administrators legitimately running net user /domain or net group /domain commands during troubleshooting or account management tasks
  • Helpdesk staff using Get-ADUser or Get-ADGroupMember in PowerShell for user management operations
  • Monitoring and identity governance tools (e.g., SailPoint, Varonis, CyberArk) that periodically enumerate AD accounts as part of access reviews
  • HR or provisioning automation scripts that enumerate domain groups when onboarding or offboarding users
  • Domain controller health check scripts or scheduled tasks that enumerate accounts as part of routine auditing
Download portable Sigma rule (.yml)

Other platforms for T1087.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Domain User Enumeration via net.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in net.exe or net1.exe (Windows internally invokes net1.exe), CommandLine containing 'user /domain'. Security Event ID 4688 (if process command line auditing is enabled) with same details. Parent process will be cmd.exe or the calling shell.

  2. Test 2Domain Admin Group Enumeration via net.exe

    Expected signal: Three separate Sysmon Event ID 1 entries, each with Image=net.exe or net1.exe, CommandLine containing 'group' and '/domain'. The rapid succession of three similar commands within seconds on the same host is a strong indicator. Security Event ID 4688 for each invocation if command line auditing is enabled.

  3. Test 3PowerShell Active Directory Module User Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADUser' and '-Filter *'. PowerShell ScriptBlock Logging Event ID 4104 with the full command including filter and properties. Active Directory replication/query traffic from the host to the domain controller on LDAP port 389.

  4. Test 4PowerView Domain User Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-DomainUser', 'IEX', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection to github.com or raw.githubusercontent.com. PowerShell ScriptBlock Logging Event ID 4104 with the IEX download cradle and Get-DomainUser call. Multiple LDAP queries to domain controllers captured in network traffic.

  5. Test 5nltest Domain Controller and Domain Trust Enumeration

    Expected signal: Sysmon Event ID 1: Three process creation events for nltest.exe with CommandLine containing '/dclist:', '/domain_trusts', and '/user:Administrator' respectively. Security Event ID 4688 if command line auditing is enabled. nltest.exe is not commonly run by standard users, making any execution noteworthy.

Last updated: 2026-04-18 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1087.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1087Account Discovery

Related Sub-techniques

T1087.001Local AccountT1087.003Email AccountT1087.004Cloud Account

Related Techniques

T1087Account DiscoveryT1087.001Local AccountT1069.002Domain GroupsT1018Remote System DiscoveryT1078.002Domain AccountsT1021.002SMB/Windows Admin SharesT1059.001PowerShellT1110.003Password SprayingT1558.003Kerberoasting

Same Tactic: Discovery

Popular Detections