Account Discovery (T1087) is a MITRE ATT&CK technique in the Discovery tactic. SOC analysts detect it by monitoring for SIEM, XDR events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may attempt to get a listing of local system or domain accounts. This information can help adversaries determine which accounts exist on a system so that compromised credentials can be matched to those accounts or so that new accounts can be created to blend in with the existing environment. On Windows, this includes commands like net user, net localgroup, and dsquery. On Linux, attackers enumerate users from /etc/passwd and using commands like id, who, and getent. Active Directory enumeration using LDAP queries, ADExplorer, BloodHound, and PowerView provides comprehensive maps of domain accounts, group memberships, and permissions that help attackers identify the most privileged accounts to target for credential theft or privilege escalation. Understanding the account landscape is a critical precursor to targeted lateral movement and privilege escalation attacks.
“Account Discovery is documented as technique T1087 in the MITRE ATT&CK knowledge base under the Discovery tactic. Detection requires visibility into SIEM, XDR telemetry.”
The following detection strategies help SOC analysts identify Account Discovery activity. These methods apply across SIEM, XDR environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for execution of net user, net group, net localgroup, and whoami commands in quick succession, which is a common pattern during post-compromise reconnaissance regardless of the operator behind the attack.
Alert on LDAP queries for user account enumeration from workstations that would not normally perform such queries, particularly queries retrieving all user objects or filtering for accounts with specific attributes like AdminCount=1.
Detect BloodHound and similar AD enumeration tools through their characteristic LDAP query patterns, including queries for all objects with specific properties used to map attack paths through Active Directory.
Monitor for use of PowerShell cmdlets Get-ADUser, Get-ADGroup, and Get-ADGroupMember outside of established administrative scripts, particularly when executed with credentials other than the logged-in user.
Alert on /etc/passwd and /etc/shadow file access on Linux servers by non-root processes or from user accounts that have no administrative responsibilities on those specific systems.
These realistic alert examples show what Account Discovery looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
LDAP query pattern analysis detected BloodHound data collection activity from workstation WS-SALES-022. Queries retrieved all user objects, group memberships, computer accounts, and GPO configurations within 8 minutes. This comprehensive Active Directory enumeration provides attackers with a complete map of attack paths to domain admin. The source workstation user has no administrative role.
Process execution sequence detected: net user, net localgroup administrators, net group "domain admins" /domain, and whoami /all all executed within 90 seconds on finance workstation FIN-WS-019. This rapid succession of account discovery commands is consistent with post-compromise reconnaissance by an attacker who has gained initial access and is mapping the environment.
Unusual LDAP query detected from workstation WS-DEV-007 querying Active Directory for all user accounts where AdminCount=1, which returns all accounts that are members of privileged groups. This specific query is a known reconnaissance technique used to identify high-value accounts to target for credential theft or privilege escalation in a compromised Active Directory environment.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Account Discovery. Build detection skills with zero consequences — free forever.
Lateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi…
Read more GlossaryNetwork Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossarySecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more