sigmalowHunting

Local Accounts Discovery

Local accounts, System Owner/User discovery using operating systems utilities

MITRE ATT&CK

discovery

Detection Query

selection_other_img:
  - Image|endswith:
      - \whoami.exe
      - \quser.exe
      - \qwinsta.exe
  - OriginalFileName:
      - whoami.exe
      - quser.exe
      - qwinsta.exe
selection_other_wmi:
  Image|endswith: \wmic.exe
  CommandLine|contains|all:
    - useraccount
    - get
selection_other_cmdkey:
  Image|endswith: \cmdkey.exe
  CommandLine|contains: " /l"
selection_cmd:
  Image|endswith: \cmd.exe
  CommandLine|contains|all:
    - " /c"
    - "dir "
    - \Users\
filter_cmd:
  CommandLine|contains: " rmdir "
selection_net:
  Image|endswith:
    - \net.exe
    - \net1.exe
  CommandLine|contains: user
filter_net:
  CommandLine|contains:
    - /domain
    - /add
    - /delete
    - /active
    - /expires
    - /passwordreq
    - /scriptpath
    - /times
    - /workstations
condition: (selection_cmd and not filter_cmd) or (selection_net and not
  filter_net) or 1 of selection_other_*

Author

Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community

Created

2019-10-21

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md

Tags

attack.discoveryattack.t1033attack.t1087.001

Raw Content

title: Local Accounts Discovery
id: 502b42de-4306-40b4-9596-6f590c81f073
status: test
related:
    - id: e28a5a99-da44-436d-b7a0-2afc20a5f413 # Whoami Utility Execution
      type: obsolete
description: Local accounts, System Owner/User discovery using operating systems utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019-10-21
modified: 2025-10-20
tags:
    - attack.discovery
    - attack.t1033
    - attack.t1087.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_other_img:
        - Image|endswith:
              - '\whoami.exe'
              - '\quser.exe'
              - '\qwinsta.exe'
        - OriginalFileName:
              - 'whoami.exe'
              - 'quser.exe'
              - 'qwinsta.exe'
    selection_other_wmi:
        Image|endswith: '\wmic.exe'
        CommandLine|contains|all:
            - 'useraccount'
            - 'get'
    selection_other_cmdkey:
        Image|endswith: '\cmdkey.exe'
        CommandLine|contains: ' /l'
    selection_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - ' /c'
            - 'dir '
            - '\Users\'
    filter_cmd:
        CommandLine|contains: ' rmdir ' # don't match on 'dir'   "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005"
    selection_net:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
        CommandLine|contains: 'user'
    filter_net:
        CommandLine|contains:
            - '/domain'       # local account discovery only
            - '/add'          # discovery only
            - '/delete'       # discovery only
            - '/active'       # discovery only
            - '/expires'      # discovery only
            - '/passwordreq'  # discovery only
            - '/scriptpath'   # discovery only
            - '/times'        # discovery only
            - '/workstations' # discovery only
    condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*
falsepositives:
    - Legitimate administrator or user enumerates local users for legitimate reason
level: low