This note documents detection patterns related to Privilege Enumeration within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects enumeration commands and scripts. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for privilege discovery chains. |
| Security | 4672 | Special privileges assigned | High | Useful when enumeration follows elevated token creation. |
| PowerShell | 4104 | Script block logging | Critical | Captures scripted privilege checks. |
| Sysmon | 11 | File create | Medium | Output files created by enumeration scripts. |
| Sysmon | 22 | DNS query | Low | Occasionally adjacent when scripts pull remote helpers. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| whoami /priv executed | Direct privilege listing | Critical | Core privilege discovery signal. |
| whoami /groups | Group privilege context | Critical | Often paired with /priv. |
| net localgroup administrators | Admin membership check | Critical | Common attacker step. |
| PowerShell token inspection | Token privilege review | High | Scripted enumeration clue. |
| Repeated privilege commands | Recon chain | High | Operator workflow signal. |
| Enumeration before privesc | Clear attack staging | Critical | Strong sequence |
Common Tools
| Tool | Usage |
|---|---|
| whoami.exe | Privilege and group checks |
| net.exe | Group membership |
| PowerShell | Token and privilege enumeration |
| accesschk.exe | Privilege inspection |
Relevant Artifacts
- Security Event IDs 4688, 4672
- Sysmon Event IDs 1, 11
- PowerShell 4104
- Commands:
whoami /privwhoami /groupsnet localgroup administrators
- Prefetch:
WHOAMI.EXENET.EXE
MITRE ATT&CK References
- T1069 Permission Groups Discovery
- T1033 System Owner/User Discovery
Decision Tree
-
Which command?
- whoami
- net
- PowerShell
-
Interactive or scripted?
- Manual shell
- Batch
- PowerShell
-
Follow-on action?
- Token abuse
- UAC bypass
- Service abuse
-
Output stored?
- File
- Clipboard
- Console only
-
Expand:
- Parent process
- User context
- Recon chain
-
Scope:
- Single check
- Broad recon
- Operator toolkit
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where CommandLine has_any ("whoami /priv","whoami /groups","net localgroup")
| project TimeGenerated, Computer, CommandLine
PowerShell
| where EventID == 4104
| where ScriptBlockText has_any ("whoami","Get-TokenInformation")
| project TimeGenerated, Computer, ScriptBlockText
EQL
process where process.command_line like "*whoami /priv*" or process.command_line like "*whoami /groups*"
sequence by host.name with maxspan=5m
[ process where process.name == "whoami.exe" ]
[ process where process.name in ("cmd.exe","powershell.exe") ]
Sigma
title: Privilege Enumeration Detection
id: 6d2f8a14-privilege-enum
status: experimental
description: Detects privilege discovery commands
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
keywords:
CommandLine|contains:
- 'whoami /priv'
- 'whoami /groups'
- 'net localgroup'
condition: selection and keywords
fields:
- CommandLine
falsepositives:
- Legitimate admin troubleshooting
level: high
tags:
- attack.discovery
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Alert on privilege commands | Strong recon signal | Critical | Low false positives |
| Preserve 4104 | Catch scripted checks | High | Valuable enrichment |
| Correlate with privesc shortly after | High-confidence sequence | Critical | Strong triage |
| Track parent process | Distinguish admin vs attacker | High | Useful context |
| Monitor repeated discovery bursts | Operator fingerprint | High | Valuable pattern |