Windows Account Discovery of Administrator Accounts
The rule identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools like net.exe and wmic.exe, potentially indicating reconnaissance activity by an attacker after initial compromise.
After gaining initial access to a Windows environment, attackers often perform reconnaissance to gather information about the network, users, and systems. This activity helps them understand the environment and plan further actions, such as privilege escalation or lateral movement. One common reconnaissance technique involves enumerating administrator accounts and groups to identify potential targets for credential compromise or other post-exploitation activities. The native Windows utilities net.exe and wmic.exe are often used for this purpose. This activity is often performed by lower-privileged accounts to avoid detection. This activity is detectable across endpoint, system, and M365 Defender data sources.
Attack Chain
- An attacker gains initial access to a Windows system via an exploit or stolen credentials.
- The attacker executes
net.exewith arguments such asgroup,user, orlocalgroupto enumerate user accounts and groups. - The
net.execommands include search terms like "admin", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", or "Organization Management" to specifically target administrator accounts. - Alternatively, the attacker executes
wmic.exewith arguments such asgrouporuseraccountto gather the same information. - The attacker parses the output of these commands to identify privileged accounts and group memberships.
- This information is used to identify targets for credential theft, such as Kerberoasting or password spraying.
- The attacker attempts to compromise identified administrator accounts.
- Upon successful compromise, the attacker uses the elevated privileges to achieve their final objective, such as data exfiltration or ransomware deployment.
Impact
Successful enumeration of administrator accounts allows attackers to identify high-value targets within the network. This can lead to the compromise of critical systems, data breaches, and significant operational disruption. Although this rule is low severity, this discovery tactic is a key step in a wider attack chain that often leads to much more severe impacts.
Recommendation
- Enable Windows Security Event Logging and ensure proper collection of process creation events to facilitate detection of the described behavior (Data Source: Windows Security Event Logs).
- Deploy the Sigma rules provided below to your SIEM and tune the rules based on your environment to reduce false positives.
- Review and harden account permissions, focusing on limiting membership in highly privileged groups such as Domain Admins (T1069).
- Investigate any instances of non-administrator accounts enumerating administrative accounts or groups (see rule "Enumeration of Administrator Accounts").
Detection coverage 2
Detect Net.exe Enumerating Administrator Accounts
lowDetects the use of net.exe to enumerate administrator accounts and groups.
Detect WMIC Enumerating User Accounts
lowDetects the use of wmic.exe to enumerate user accounts.
Detection queries are available on the platform. Get full rules →