Account Discovery T1087

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).

Events covered

34 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 8CreateRemoteThread
SysmonEvent ID 11FileCreate
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4625An account failed to log on.
Security-AuditingEvent ID 4661A handle to an object was requested.
Security-AuditingEvent ID 4662An operation was performed on an object.
Security-AuditingEvent ID 4672Special privileges assigned to new logon.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4776The domain controller attempted to validate the credentials for an account.
Security-AuditingEvent ID 4798A user's local group membership was enumerated.
Security-AuditingEvent ID 4799A security-enabled local group membership was enumerated.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Defender-DeviceEventsanyDefender event (any)
Defender-DeviceEventsCreateRemoteThreadApiCallCreateRemoteThread API call
Defender-DeviceEventsLdapSearchLDAP search
Defender-DeviceEventsNtAllocateVirtualMemoryRemoteApiCallRemote virtual memory allocation (NtAllocateVirtualMemory)
Defender-DeviceEventsMemoryRemoteProtectRemote virtual memory protection change
Defender-DeviceEventsNtMapViewOfSectionRemoteApiCallRemote section map (NtMapViewOfSection)
Defender-DeviceEventsQueueUserApcRemoteApiCallRemote APC queued (QueueUserApc)
Defender-DeviceEventsSetThreadContextRemoteApiCallRemote thread context change (SetThreadContext)
Defender-DeviceNetworkEventsConnectionSuccessConnection succeeded
Defender-DeviceProcessEventsanyProcess activity (any)
LDAP-ClientEvent ID 30LDAP search request
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Threat-IntelligenceEvent ID 1Remote Virtual Memory Allocation
Threat-IntelligenceEvent ID 2Remote Virtual Memory Protection Change
Threat-IntelligenceEvent ID 3Remote Section Map
Threat-IntelligenceEvent ID 4Remote APC Queue
Threat-IntelligenceEvent ID 5Remote Thread Context Change
PowerShellEvent ID 800Event ID 800

Authoring guide

Patterns shared across the 132 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (61 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine56contains 36, regex_match 10, match 7, ends_with 2, in 2, eq 1, is_not_null 1(?i)((tracert)|(query)|(net\s+((localgroup)|(group)|(conf..., (?i)searchroot|objectcategory=|userenum, oudmp , (?i)((netstat)|(netsh)|(schtasks)|(tasklist)|(driverquery..., (?i)((whoami)|(dir)|(hostname)|(hostname)|(systeminfo)|(i...
EventID53eq 534104, 4688, 1, 4103, 4662
process_name28eq 17, match 6, regex_match 2, starts_with 2, wildcard 2, ends_with 1cmd.exe, net1.exe, (?i)ipconfig.exe, (?i)net1?.exe, (?i)nltest.exe
Image23ends_with 20, contains 1, eq 1, regex_match 1, starts_with 1\net.exe, \net1.exe, \adexp.exe, \adexplorer.exe, \adexplorer64.exe
OriginalFileName23eq 23net1.exe, net.exe, adexp, adfind.exe, wmic.exe
ScriptBlockText19contains 19, eq 3, in 2*[adsisearcher]*, get-netuser, get-wmiobject, *accountexpires*, *lastlogoff*
Type14eq 14
event.type8eq 8start
DestinationPort6eq 5, in 19389, 389, 636, 88
ObjectType6eq 3, contains 2, in 1SAM_GROUP, SAM_USER, %{bf967a9c-0de6-11d0-a285-00aa003049e2}, %{bf967aba-0de6-11d0-a285-00aa003049e2}, SAM_ALIAS
ParentImage6ends_with 4, contains 2, eq 1, regex_match 1-tomcat-, \caddy.exe, \httpd.exe, ?:\program files (x86)\teamcity\jre\bin\java.exe, ?:\program files\teamcity\jre\bin\java.exe
parent_process_name6in 2, regex_match 2, eq 1, match 1, starts_with 1(?i)(powershell|pwsh)\.exe, (?i)(powershell\.exe)|(cmd\.exe), beasvc.exe, cmd.exe, httpd.exe
ObjectName5ends_with 2, starts_with 2, contains 1, eq 1, in 1-500, S-1-5-21-, %honeypot_guid_list%, -502, -505
dc_process_name5gt 51, 2, 0
Channel4eq 4, in 4

Top indicator values (1361 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
4104
24268
EventIDeq
4688
13312
EventIDeq
1
8232
EventIDeq
4103
6105
EventIDeq
4662
312
event.typeeq
start
8241
OriginalFileNameeq
net1.exe
743
OriginalFileNameeq
net.exe
627
OriginalFileNameeq
wmic.exe
461
process_nameeq
net1.exe
634
process_nameeq
cmd.exe
575
process_nameeq
net.exe
520
process_nameeq
dsquery.exe
412
process_nameeq
powershell.exe
499
process_nameeq
whoami.exe
411
process_nameeq
wmic.exe
444
DestinationPorteq
9389
55
Imageends_with
\net.exe
550
Imageends_with
\net1.exe
548
Imageends_with
\adexp.exe
33
Imageends_with
\adexplorer.exe
36
Imageends_with
\adexplorer64.exe
36
Imageends_with
\adexplorer64a.exe
34
Imageends_with
\adfind.exe
33
SubjectUserNameends_with
$
437
dc_processgt
3
44
event_countgt
0
44
CommandLinecontains
user
316
CommandLinematch
(?i)((tracert)|(query)|(net\s+((localgroup)|(group)|(config)|(share)|(use)|(u...
33
CommandLineregex_match
(?i)searchroot|objectcategory=|userenum
33

Exclusions (92 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
SubjectUserNameends_with
$
4
CommandLinecontains
add
2
CommandLinecontains
-i
1
CommandLinecontains
/add
1
CommandLinecontains
rmdir
1
CommandLinecontains
/active
1
CommandLinecontains
/add
1
CommandLinecontains
/delete
1
CommandLinecontains
/domain
1
CommandLinematch
(?i)\x5cSplunkUniversalForwarder\x5c(etc|bin)\x5c
2
Imagestarts_with
c:\windows\system32\windowspowershell\
2
Imagestarts_with
c:\windows\syswow64\windowspowershell\
2
usermatch
\$$
2
user.ideq
S-1-5-18
2
Accountends_with
$
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 41 rules

Elastic 10 rules

Splunk 73 rules

Kusto 7 rules

YARA-L 1 rule