Detect Domain Account in Sumo Logic CSE
Adversaries may attempt to get a listing of domain accounts to aid in follow-on behavior such as targeting accounts with specific privileges. Commands such as net user /domain and net group /domain, PowerShell cmdlets like Get-ADUser and Get-ADGroupMember, LDAP queries via ldapsearch or BoomBox-style programmatic enumeration, and tools like AdFind and CrackMapExec are commonly used. This information helps adversaries identify high-value targets such as domain administrators, service accounts, and privileged users.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1087 Account Discovery
- Sub-technique
- T1087.002 Domain Account
- Canonical reference
- https://attack.mitre.org/techniques/T1087/002/
Sumo Detection Query
_sourceCategory="windows/*" (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="WinEventLog:Security" EventCode=4688)
| parse field=_raw "<Image>*</Image>" as process_image nodrop
| parse field=_raw "<CommandLine>*</CommandLine>" as command_line nodrop
| parse field=_raw "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse field=_raw "<User>*</User>" as user nodrop
| parse field=_raw "NewProcessName=\"*\"" as process_image_sec nodrop
| parse field=_raw "CommandLine=\"*\"" as command_line_sec nodrop
| parse field=_raw "SubjectUserName=\"*\"" as user_sec nodrop
| if (isNull(process_image), process_image_sec, process_image) as process_image
| if (isNull(command_line), command_line_sec, command_line) as command_line
| if (isNull(user), user_sec, user) as user
| toLowerCase(process_image) as proc_lower
| toLowerCase(command_line) as cmd_lower
| where (
(proc_lower matches "*net.exe" OR proc_lower matches "*net1.exe")
AND (
cmd_lower matches "*/domain*"
OR cmd_lower contains "domain admins"
OR cmd_lower contains "domain users"
OR cmd_lower contains "enterprise admins"
OR cmd_lower contains "schema admins"
)
)
OR (
(proc_lower matches "*powershell.exe" OR proc_lower matches "*pwsh.exe")
AND (
cmd_lower contains "get-aduser"
OR cmd_lower contains "get-adgroupmember"
OR cmd_lower contains "get-adgroup"
OR cmd_lower contains "get-adcomputer"
OR cmd_lower contains "get-adobject"
OR cmd_lower contains "get-addomain"
OR cmd_lower contains "get-adforest"
OR cmd_lower contains "get-domainuser"
OR cmd_lower contains "get-domaingroupmember"
OR cmd_lower contains "get-domaingroup"
OR cmd_lower contains "get-netuser"
OR cmd_lower contains "get-netgroup"
)
)
OR (
proc_lower matches "*adfind.exe"
OR proc_lower matches "*nltest.exe"
OR proc_lower matches "*dsquery.exe"
OR proc_lower matches "*ldifde.exe"
OR proc_lower matches "*csvde.exe"
OR proc_lower matches "*dsget.exe"
OR proc_lower matches "*sharphound.exe"
OR proc_lower matches "*bloodhound.exe"
OR proc_lower matches "*crackmapexec.exe"
OR proc_lower matches "*cme.exe"
)
| if (proc_lower matches "*net*.exe" AND cmd_lower contains "user", "net user /domain",
if (proc_lower matches "*net*.exe" AND cmd_lower contains "group", "net group /domain",
if (proc_lower matches "*powershell*" AND cmd_lower contains "get-aduser", "Get-ADUser",
if (proc_lower matches "*powershell*" AND (cmd_lower contains "get-domainuser" OR cmd_lower contains "get-netuser"), "PowerView User Enum",
if (proc_lower matches "*powershell*", "PowerShell AD Enum",
"AD Enumeration Tool"
)
)
)
)
) as enum_type
| table _time, _sourceHost, user, process_image, command_line, parent_image, enum_type
| sort by _time descSumo Logic detection for domain account enumeration using Windows Security (Event ID 4688) and Sysmon process creation (Event ID 1) log sources. Identifies net.exe /domain commands, PowerShell Active Directory module and PowerView cmdlets, and well-known AD recon tools including AdFind, BloodHound, SharpHound, nltest, dsquery, and CrackMapExec.
Data Sources
Required Tables
False Positives & Tuning
- Domain administrators using dsquery or csvde for bulk user exports during migrations or audits
- IT automation scripts using PowerShell AD module cmdlets for routine group membership reporting or access reviews
- Security operations center tools or SIEM connectors that enumerate AD users and groups for user entity behavior analytics (UEBA) baseline building
Other platforms for T1087.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Domain User Enumeration via net.exe
Expected signal: Sysmon Event ID 1: Process Create with Image ending in net.exe or net1.exe (Windows internally invokes net1.exe), CommandLine containing 'user /domain'. Security Event ID 4688 (if process command line auditing is enabled) with same details. Parent process will be cmd.exe or the calling shell.
- Test 2Domain Admin Group Enumeration via net.exe
Expected signal: Three separate Sysmon Event ID 1 entries, each with Image=net.exe or net1.exe, CommandLine containing 'group' and '/domain'. The rapid succession of three similar commands within seconds on the same host is a strong indicator. Security Event ID 4688 for each invocation if command line auditing is enabled.
- Test 3PowerShell Active Directory Module User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADUser' and '-Filter *'. PowerShell ScriptBlock Logging Event ID 4104 with the full command including filter and properties. Active Directory replication/query traffic from the host to the domain controller on LDAP port 389.
- Test 4PowerView Domain User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-DomainUser', 'IEX', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection to github.com or raw.githubusercontent.com. PowerShell ScriptBlock Logging Event ID 4104 with the IEX download cradle and Get-DomainUser call. Multiple LDAP queries to domain controllers captured in network traffic.
- Test 5nltest Domain Controller and Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Three process creation events for nltest.exe with CommandLine containing '/dclist:', '/domain_trusts', and '/user:Administrator' respectively. Security Event ID 4688 if command line auditing is enabled. nltest.exe is not commonly run by standard users, making any execution noteworthy.
References (11)
- https://attack.mitre.org/techniques/T1087/002/
- https://attack.mitre.org/techniques/T1087/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/net-user
- https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://www.mandiant.com/resources/blog/fin13-a-cybercriminal-threat-actor-focused-on-mexico
- https://www.cisa.gov/sites/default/files/publications/CISA_AA20-120A.pdf
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1087.002 including response playbook, investigation guide, and atomic red team tests.