legitimate administrator or user enumerates local users for legitimate reason

t1033
t1087
t1087.001
windows
sigma

Techniques

t1033
t1087
t1087.001

Sample rules

Local Accounts Discovery

source: sigma
technicques:
- t1033
- t1087
- t1087.001

Description

Local accounts, System Owner/User discovery using operating systems utilities

Detection logic

condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net)
  or 1 of selection_other_*
filter_cmd:
  CommandLine|contains: ' rmdir '
filter_net:
  CommandLine|contains:
  - /domain
  - /add
  - /delete
  - /active
  - /expires
  - /passwordreq
  - /scriptpath
  - /times
  - /workstations
selection_cmd:
  CommandLine|contains|all:
  - ' /c'
  - 'dir '
  - \Users\
  Image|endswith: \cmd.exe
selection_net:
  CommandLine|contains: user
  Image|endswith:
  - \net.exe
  - \net1.exe
selection_other_cmdkey:
  CommandLine|contains: ' /l'
  Image|endswith: \cmdkey.exe
selection_other_img:
  Image|endswith:
  - \whoami.exe
  - \quser.exe
  - \qwinsta.exe
selection_other_wmi:
  CommandLine|contains|all:
  - useraccount
  - get
  Image|endswith: \wmic.exe