This note documents detection patterns related to Local System Enumeration within Windows environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4688	Process creation	Critical	Detects enumeration binaries and command lines.
Sysmon	1	Process creation	Critical	Best source for enumeration lineage and hashes.
Sysmon	11	File create	Medium	Output files created during scripted enumeration.
PowerShell	4104	Script block logging	Critical	Captures PowerShell-based local recon.
Sysmon	3	Network connection	Medium	Useful if local recon followed by external reporting.
Sysmon	22	DNS query	Low	Rarely needed unless tool reaches external host.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Burst of native recon commands	whoami, hostname, systeminfo, tasklist	Critical	Common first-stage operator behavior.
Privilege checks	whoami /priv /groups	Critical	Often precedes escalation.
Service / process listing	tasklist, sc query	High	Local target mapping.
Patch enumeration	systeminfo, wmic qfe	High	Privesc preparation.
Local user/group inspection	net user, net localgroup	High	Privilege mapping.
Scripted recon bundle	Many commands in short span	Critical	Strong operator automation clue.

Common Tools

Tool	Usage
whoami.exe	Identity / privileges
hostname.exe	Host identification
systeminfo.exe	System details / patch level
tasklist.exe	Process listing
net.exe	User / group enumeration
sc.exe	Service inspection
wmic.exe	OS / patch / hardware info
PowerShell	Full local recon

Relevant Artifacts

Security Event ID 4688
Sysmon Event ID 1
Sysmon Event ID 11
PowerShell 4104
Prefetch:
- WHOAMI.EXE
- SYSTEMINFO.EXE
- TASKLIST.EXE
- NET.EXE
- WMIC.EXE
Amcache / ShimCache
MFT / USN if outputs written
EDR process tree

MITRE ATT&CK References

T1082 System Information Discovery
T1033 System Owner/User Discovery
T1057 Process Discovery
T1007 System Service Discovery

Decision Tree

Which recon command executed?
- Single command
- Burst sequence
Parent process suspicious?
- Shell
- PowerShell
- Remote execution source
Output captured?
- Redirected file
- Clipboard
- Archive
Follow-up activity?
- Privilege escalation
- Credential access
- Lateral movement
Expand:
- Adjacent recon
- Network recon
- Persistence setup
Scope:
- Single host recon
- Automated toolkit
- Multi-host spread

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4688
| where NewProcessName has_any ("whoami.exe","systeminfo.exe","tasklist.exe","hostname.exe","net.exe","wmic.exe")
| project TimeGenerated, Computer, Account, CommandLine

Sysmon
| where EventID == 1
| where Image has_any ("\\whoami.exe","\\systeminfo.exe","\\tasklist.exe","\\net.exe")
| project TimeGenerated, Computer, Image, ParentImage

EQL

process where process.name in ("whoami.exe","systeminfo.exe","tasklist.exe","hostname.exe","net.exe","wmic.exe")

sequence by host.name with maxspan=3m
  [ process where process.name == "whoami.exe" ]
  [ process where process.name == "systeminfo.exe" ]

Sigma

title: Local System Enumeration Detection
id: 4c7e2a91-local-enum
status: experimental
description: Detects common local reconnaissance commands
references:
  - https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
  product: windows
  service: security
detection:
  selection:
    NewProcessName|endswith:
      - '\whoami.exe'
      - '\systeminfo.exe'
      - '\tasklist.exe'
      - '\hostname.exe'
      - '\net.exe'
      - '\wmic.exe'
  condition: selection
fields:
  - NewProcessName
  - CommandLine
falsepositives:
  - Administrative diagnostics
level: medium
tags:
  - attack.discovery

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Process monitoring	Alert on recon bursts	Critical	Strong early signal
Parent-child analysis	Identify remote source	High	Distinguish admin vs attacker
PowerShell logging	Capture scripted recon	High	Strong visibility
Baseline admin tools	Know normal usage	High	Reduce false positives
EDR sequence analytics	Detect recon chains	Critical	Better than single-command alerts