T1087 Account Discovery
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
| Item | Value |
|---|---|
| ID | T1087 |
| Sub-techniques | T1087.001, T1087.002, T1087.003, T1087.004 |
| Tactics | TA0007 |
| Platforms | Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS |
| Version | 2.4 |
| Created | 31 May 2017 |
| Last Modified | 15 April 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0445 | ShimRatReporter | ShimRatReporter listed all non-privileged and privileged accounts available on the machine.3 |
| C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.6 |
| S1065 | Woody RAT | Woody RAT can identify administrator accounts on an infected machine.4 |
| S0658 | XCSSET | XCSSET attempts to discover accounts from various locations such as a user’s Evernote, AppleID, Telegram, Skype, and WeChat data.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1028 | Operating System Configuration | Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. 2 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0009 | Process | Process Creation |
References
-
Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. ↩
-
UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017. ↩
-
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. ↩
-
MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. ↩
-
Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. ↩
-
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. ↩