T1087 Microsoft Sentinel · KQL

Detect Account Discovery in Microsoft Sentinel

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers. Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment. On Windows, common discovery methods include net user, net localgroup, wmic useraccount list, Get-LocalUser, and Get-ADUser. On Linux and macOS, adversaries may read /etc/passwd, use getent, id, last, and who commands. In cloud environments, CLIs such as aws iam list-users, az ad user list, and gcloud iam service-accounts list are commonly abused. Observed threat actors leveraging this technique include Aquatic Panda, Scattered Spider, FIN13, and malware families such as Woody RAT, Havoc, TONESHELL, and ShimRatReporter.

MITRE ATT&CK

Tactic
Discovery
Technique
T1087 Account Discovery
Canonical reference
https://attack.mitre.org/techniques/T1087/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let AccountDiscoveryProcesses = dynamic([
  "net.exe", "net1.exe", "wmic.exe", "dsquery.exe", "nltest.exe", "whoami.exe"
]);
let AccountDiscoveryCmdPatterns = dynamic([
  "net user", "net localgroup", "net group",
  "wmic useraccount", "wmic group",
  "dsquery user", "dsquery group",
  "Get-LocalUser", "Get-LocalGroup", "Get-ADUser", "Get-ADGroupMember",
  "nltest /dclist", "nltest /domain_trusts",
  "whoami /groups", "whoami /all",
  "query user", "quser"
]);
let PSAccountDiscovery = dynamic([
  "Get-LocalUser", "Get-LocalGroup", "Get-ADUser",
  "Get-ADGroupMember", "Get-ADObject", "Get-ADPrincipalGroupMembership",
  "[adsi]", "DirectorySearcher", "DirectoryEntry"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ (AccountDiscoveryProcesses) and ProcessCommandLine has_any (AccountDiscoveryCmdPatterns))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PSAccountDiscovery))
    or (ProcessCommandLine has "whoami" and ProcessCommandLine has_any ("/groups", "/all", "/priv"))
  )
| extend IsEncodedPS = (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("-enc", "-EncodedCommand"))
| extend NetUserDomain = (ProcessCommandLine has "net user" and ProcessCommandLine has "/domain")
| extend LocalGroupEnum = (ProcessCommandLine has_any ("net localgroup", "Get-LocalGroup", "wmic group"))
| extend PrivilegedGroupEnum = (ProcessCommandLine has_any ("administrators", "domain admins", "enterprise admins", "schema admins"))
| extend WMICEnum = (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("useraccount", "group"))
| extend DSQueryEnum = (FileName =~ "dsquery.exe")
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine, ProcessId,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId,
         IsEncodedPS, NetUserDomain, LocalGroupEnum, PrivilegedGroupEnum, WMICEnum, DSQueryEnum
| sort by Timestamp desc
medium severity medium confidence

Detects account discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Identifies Windows built-in tools (net.exe, net1.exe, wmic.exe, dsquery.exe, nltest.exe, whoami.exe) and PowerShell cmdlets (Get-LocalUser, Get-ADUser, Get-ADGroupMember) used to enumerate local accounts, domain accounts, and group memberships. Enriches each event with boolean flags for encoded PowerShell, domain-level enumeration, local group enumeration, privileged group targeting, WMI-based enumeration, and directory query usage. High-fidelity signals include privileged group enumeration and domain-level queries from non-administrative processes.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • IT administrators running net user or Get-ADUser as part of routine account auditing and helpdesk workflows
  • Endpoint management agents (SCCM, Intune, Tanium) that enumerate local accounts during inventory collection
  • Security scanning tools (Nessus, Qualys, CrowdStrike Spotlight) performing authenticated enumeration for vulnerability assessment
  • HR and IAM automation scripts that synchronize user lists between directories (e.g., Azure AD Connect, Okta provisioning)
  • Monitoring and SIEM agents that collect account information for baseline and compliance reporting
  • Developer tools and CI/CD pipelines that resolve user identities during build or deployment processes
Download portable Sigma rule (.yml)

Other platforms for T1087

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Local Account Enumeration via Net User

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe and CommandLine='net user'. Net1.exe may also appear as a child process. Security Event ID 4688 (if command line auditing enabled) with the same detail. No network connections expected — local SAM database query only.

  2. Test 2Domain Account and Group Enumeration via Net

    Expected signal: Sysmon Event ID 1: Three sequential Process Create events for net.exe with CommandLines 'net user /domain', 'net group Domain Admins /domain', 'net group Enterprise Admins /domain'. Sysmon Event ID 3: Network connections to domain controller IP on port 445 (SMB/SAMR protocol for domain queries). Security Event IDs 4661/4662 on the domain controller for directory object access.

  3. Test 3Active Directory Enumeration via PowerShell Get-ADUser

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Get-ADUser' and '-Filter *'. Sysmon Event ID 3: LDAP connection (port 389 or 3268 for global catalog) from powershell.exe to domain controller IP. PowerShell ScriptBlock Logging Event ID 4104 with full script content. Domain Controller Security Event IDs 4661/4662 for directory service access.

  4. Test 4WMI-Based Local Account Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\wbem\WMIC.exe and CommandLine='wmic useraccount list brief'. Possible WMI provider process creation (WmiPrvSE.exe). No network connections for local query. Security Event ID 4688 with command line if auditing enabled.

  5. Test 5dsquery Domain User Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\dsquery.exe and CommandLine='dsquery user -limit 0'. Sysmon Event ID 3: LDAP connection from dsquery.exe to domain controller on port 389 or 3268. Security Event IDs 4661/4662 on domain controller for directory access.

Last updated: 2026-04-17 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1087 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1087.001Local AccountT1087.002Domain AccountT1087.003Email AccountT1087.004Cloud AccountT1069Permission Groups DiscoveryT1069.001Local GroupsT1069.002Domain GroupsT1033System Owner/User DiscoveryT1078Valid AccountsT1110Brute ForceT1566PhishingT1021Remote ServicesT1136Create Account

Same Tactic: Discovery

Popular Detections