Account Discovery Command via SYSTEM Account

This detection rule identifies instances where the SYSTEM account is used to execute account discovery utilities, such as whoami.exe and net1.exe. This behavior is commonly observed after an attacker has successfully achieved privilege escalation within a Windows environment, or after exploiting a web application. The rule is designed to detect post-exploitation discovery activity where an adversary attempts to gain situational awareness by enumerating accounts and system information using the elevated SYSTEM context. The rule leverages data from Elastic Defend and Sysmon Event ID 1 to identify these behaviors, helping defenders spot potential privilege escalation and lateral movement attempts. The original rule was created 2020/03/18 and updated 2026/05/04.

Attack Chain

1. An attacker gains initial access to a system, potentially through exploiting a vulnerability in a web application or through phishing.
2. The attacker escalates privileges to the SYSTEM account, possibly by exploiting a local privilege escalation vulnerability.
3. The attacker executes whoami.exe or net1.exe via the SYSTEM account to enumerate user accounts and gather system information.
4. The whoami.exe or net1.exe process is spawned by a parent process such as a web server process (e.g., w3wp.exe) or a service process.
5. The attacker uses the discovered account information to plan further actions, such as lateral movement or credential theft.
6. The attacker may use net1.exe to query domain information.
7. The attacker leverages the gained information to identify valuable targets within the network.
8. The final objective is often data exfiltration, deployment of ransomware, or further compromise of the network.

Impact

A successful attack can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Although this rule has low severity, the execution of discovery commands by the SYSTEM account can be a critical indicator of compromise. Early detection of such activity can prevent more severe damage.

Recommendation

• Deploy the provided Sigma rules to detect account discovery commands executed via the SYSTEM account and tune for your environment.
• Enable Sysmon process creation logging (Event ID 1) to ensure the necessary data is available for detection.
• Investigate any alerts generated by these rules, focusing on the process execution chain to identify the source of the SYSTEM account usage.
• If the process tree includes a web-application server process, investigate suspicious file creation or modification to assess for webshell backdoors.
• Review and harden web application security to prevent initial access and privilege escalation.