Local Accounts Discovery

calendar Oct 20, 2025 · attack.discovery attack.t1033 attack.t1087.001  ·
Share on: linkedin copy

Local accounts, System Owner/User discovery using operating systems utilities

Sigma rule (View on GitHub)

 1title: Local Accounts Discovery
 2id: 502b42de-4306-40b4-9596-6f590c81f073
 3status: test
 4related:
 5    - id: e28a5a99-da44-436d-b7a0-2afc20a5f413 # Whoami Utility Execution
 6      type: obsolete
 7description: Local accounts, System Owner/User discovery using operating systems utilities
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
10author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
11date: 2019-10-21
12modified: 2025-10-20
13tags:
14    - attack.discovery
15    - attack.t1033
16    - attack.t1087.001
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_other_img:
22        - Image|endswith:
23              - '\whoami.exe'
24              - '\quser.exe'
25              - '\qwinsta.exe'
26        - OriginalFileName:
27              - 'whoami.exe'
28              - 'quser.exe'
29              - 'qwinsta.exe'
30    selection_other_wmi:
31        Image|endswith: '\wmic.exe'
32        CommandLine|contains|all:
33            - 'useraccount'
34            - 'get'
35    selection_other_cmdkey:
36        Image|endswith: '\cmdkey.exe'
37        CommandLine|contains: ' /l'
38    selection_cmd:
39        Image|endswith: '\cmd.exe'
40        CommandLine|contains|all:
41            - ' /c'
42            - 'dir '
43            - '\Users\'
44    filter_cmd:
45        CommandLine|contains: ' rmdir ' # don't match on 'dir'   "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005"
46    selection_net:
47        Image|endswith:
48            - '\net.exe'
49            - '\net1.exe'
50        CommandLine|contains: 'user'
51    filter_net:
52        CommandLine|contains:
53            - '/domain'       # local account discovery only
54            - '/add'          # discovery only
55            - '/delete'       # discovery only
56            - '/active'       # discovery only
57            - '/expires'      # discovery only
58            - '/passwordreq'  # discovery only
59            - '/scriptpath'   # discovery only
60            - '/times'        # discovery only
61            - '/workstations' # discovery only
62    condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*
63falsepositives:
64    - Legitimate administrator or user enumerates local users for legitimate reason
65level: low

References

Related rules

to-top