Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0254: Analytic 0254

Adversary launches built-in system tools (e.g., whoami, query user, net user) or scripts that enumerate user account information via local execution or remote API queries (e.g., WMI, PowerShell).

EnterpriseAN0254AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic describes Windows activity where an adversary uses built-in tools or scripts to enumerate user account information, such as through whoami, query user, net user, WMI, or PowerShell. For leaders, the value is not the tool names themselves; it is that account discovery often helps an intruder understand who has access, where to move next, and which identities may be useful. Because the object has no official detection logic, organizations should treat it as a validation prompt for Windows identity and endpoint telemetry rather than as a ready-made rule.

Executive priority

Prioritize this as an identity and SOC readiness question: can the organization reliably see and investigate unusual user-account enumeration on Windows, including remote queries? This supports incident decision-making by helping responders determine whether a host is being used for reconnaissance. It also provides useful audit and control evidence around endpoint logging, PowerShell/WMI visibility, and identity monitoring. Budget and control discussions should focus on telemetry completeness and analyst workflow, not on blocking every legitimate administrative query.

Technical view

SOC and detection teams should validate visibility for Windows processes and scripts that enumerate account information, including built-in commands and remote API mechanisms referenced by the object: whoami, query user, net user, WMI, and PowerShell. Since MITRE provides no official detection text and no ATT&CK tactic mapping in the supplied fields, detections should be environment-specific and behavior-based: identify unusual frequency, unusual source hosts, unexpected users, remote execution context, or enumeration occurring near other suspicious activity. IR teams should be prepared to pivot from these events to the initiating user, parent process, host, remote target, and surrounding authentication or administrative activity.

Likely telemetry

  • Windows process creation telemetry with command-line arguments
  • PowerShell execution and script block or module logging where enabled
  • WMI activity and remote management telemetry
  • Windows authentication and logon/session evidence relevant to queried users or remote access
  • Endpoint detection and response records for parent/child process context

Detection direction

  • Confirm that Windows command-line process creation is collected and searchable for account-enumeration utilities such as whoami, query user, and net user.
  • Validate visibility into PowerShell and WMI-based account queries, including remote execution paths where logging is available.
  • Tune detections around context: administrative tools are commonly legitimate, so prioritize unusual users, non-admin workstations querying many accounts, rare parent processes, unusual timing, or enumeration following suspicious execution.
  • Correlate account enumeration with authentication, remote management, and endpoint events to reduce false positives and support incident triage.
  • Document blind spots where command-line arguments, PowerShell detail, WMI telemetry, or remote target information are not retained.

Mitigation priorities

  • First, ensure logging coverage for Windows process creation, PowerShell, WMI, and relevant authentication/session activity.
  • Second, restrict and monitor administrative access paths so that remote enumeration capabilities are limited to expected roles and systems.
  • Third, baseline normal administrative account-query behavior to support tuning and reduce alert fatigue.
  • Fourth, integrate detections into incident response playbooks so analysts can quickly determine whether enumeration is benign administration or part of suspicious reconnaissance.
  • Finally, use findings from coverage gaps to inform identity governance, endpoint hardening, and compliance evidence collection.
Analyst notes and limits

This object is a detection analytic, not a technique description. The supplied MITRE fields identify Windows account-enumeration behavior using built-in tools, scripts, WMI, and PowerShell, but provide no official detection logic, no tactics, and no relationship context. Treat this as a coverage and validation requirement rather than a complete detection rule.

The source fields do not include detection pseudocode, data components, related techniques, adversary groups, campaigns, mitigations, or active exploitation claims. Any prioritization, thresholds, or alert logic must be derived from local Windows administration patterns, telemetry quality, and incident history.

Official MITRE ATT&CK definition

Analytic 0254

Adversary launches built-in system tools (e.g., whoami, query user, net user) or scripts that enumerate user account information via local execution or remote API queries (e.g., WMI, PowerShell).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9ff4263c6a858fe5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9ff4263c6a85…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0254
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use