Detect Account Discovery in CrowdStrike LogScale
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers. Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment. On Windows, common discovery methods include net user, net localgroup, wmic useraccount list, Get-LocalUser, and Get-ADUser. On Linux and macOS, adversaries may read /etc/passwd, use getent, id, last, and who commands. In cloud environments, CLIs such as aws iam list-users, az ad user list, and gcloud iam service-accounts list are commonly abused. Observed threat actors leveraging this technique include Aquatic Panda, Scattered Spider, FIN13, and malware families such as Woody RAT, Havoc, TONESHELL, and ShimRatReporter.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1087 Account Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1087/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| FileName = /^(net\.exe|net1\.exe|wmic\.exe|dsquery\.exe|nltest\.exe|whoami\.exe|powershell\.exe|pwsh\.exe)$/i
| CommandLine = /net\s+(user|localgroup|group)|wmic.*(useraccount|\sgroup)|whoami.*\/(groups|all|priv)|(get-localuser|get-localgroup|get-localgroupmember|get-aduser|get-adgroupmember|get-adobject|get-adprincipalgroup|directorysearcher|directoryentry|\[adsi\])|dsquery\s|nltest\s/i
| eval NetUserEnum = if(CommandLine = /net(1)?\s+user/i, "true", "false")
| eval NetGroupEnum = if(CommandLine = /net(1)?\s+(localgroup|group)/i, "true", "false")
| eval NetDomainEnum = if(CommandLine = /net(1)?\s+(user|group).*\/domain/i, "true", "false")
| eval WMICEnum = if(CommandLine = /wmic.*(useraccount|\sgroup)/i, "true", "false")
| eval DSQueryEnum = if(FileName = /dsquery\.exe/i, "true", "false")
| eval NLTestEnum = if(FileName = /nltest\.exe/i, "true", "false")
| eval WhoamiEnum = if(CommandLine = /whoami.*\/(groups|all|priv)/i, "true", "false")
| eval PSLocalEnum = if(CommandLine = /(get-localuser|get-localgroup|get-localgroupmember)/i, "true", "false")
| eval PSADEnum = if(CommandLine = /(get-aduser|get-adgroupmember|get-adprincipalgroup|get-adobject)/i, "true", "false")
| eval PrivGroupTarget = if(CommandLine = /(administrators|domain admins|enterprise admins|schema admins)/i, "true", "false")
| eval EncodedPS = if(CommandLine = /-(enc|EncodedCommand)\s/i, "true", "false")
| select [@timestamp, ComputerName, UserName, FileName, CommandLine, ParentProcessId, ParentBaseFileName, NetUserEnum, NetGroupEnum, NetDomainEnum, WMICEnum, DSQueryEnum, NLTestEnum, WhoamiEnum, PSLocalEnum, PSADEnum, PrivGroupTarget, EncodedPS]
| sort @timestamp descCrowdStrike LogScale detection for MITRE ATT&CK T1087 Account Discovery using Falcon ProcessRollup2 events. Identifies net.exe, wmic.exe, dsquery.exe, nltest.exe, whoami.exe, and PowerShell Active Directory cmdlet usage with command line arguments characteristic of account and group enumeration. Flags encoded PowerShell and privileged group targeting for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- System administrators executing net user or net localgroup commands to manage local accounts or troubleshoot access issues on workstations and servers
- Active Directory management and monitoring tools (e.g., RSAT, Quest AD tools, Varonis) that perform frequent account enumeration as part of normal operations
- Security and identity governance platforms performing scheduled access reviews or certification campaigns via PowerShell AD cmdlets
Other platforms for T1087
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Local Account Enumeration via Net User
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe and CommandLine='net user'. Net1.exe may also appear as a child process. Security Event ID 4688 (if command line auditing enabled) with the same detail. No network connections expected — local SAM database query only.
- Test 2Domain Account and Group Enumeration via Net
Expected signal: Sysmon Event ID 1: Three sequential Process Create events for net.exe with CommandLines 'net user /domain', 'net group Domain Admins /domain', 'net group Enterprise Admins /domain'. Sysmon Event ID 3: Network connections to domain controller IP on port 445 (SMB/SAMR protocol for domain queries). Security Event IDs 4661/4662 on the domain controller for directory object access.
- Test 3Active Directory Enumeration via PowerShell Get-ADUser
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Get-ADUser' and '-Filter *'. Sysmon Event ID 3: LDAP connection (port 389 or 3268 for global catalog) from powershell.exe to domain controller IP. PowerShell ScriptBlock Logging Event ID 4104 with full script content. Domain Controller Security Event IDs 4661/4662 for directory service access.
- Test 4WMI-Based Local Account Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\wbem\WMIC.exe and CommandLine='wmic useraccount list brief'. Possible WMI provider process creation (WmiPrvSE.exe). No network connections for local query. Security Event ID 4688 with command line if auditing enabled.
- Test 5dsquery Domain User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\dsquery.exe and CommandLine='dsquery user -limit 0'. Sysmon Event ID 3: LDAP connection from dsquery.exe to domain controller on port 389 or 3268. Security Event IDs 4661/4662 on domain controller for directory access.
References (11)
- https://attack.mitre.org/techniques/T1087/
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
- https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/net-user
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)
- https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.crowdstrike.com/blog/2022-falcon-overwatch-report/
- https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico
Unlock Pro Content
Get the full detection package for T1087 including response playbook, investigation guide, and atomic red team tests.