Skip to content

T1087 Account Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.12 On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

Item Value
ID T1087
Sub-techniques T1087.001, T1087.002, T1087.003, T1087.004
Tactics TA0007
Platforms ESXi, IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Version 2.6
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G0143 Aquatic Panda Aquatic Panda used the last command in Linux environments to identify recently logged-in users on victim machines.10
G1016 FIN13 FIN13 has enumerated all users and their roles from a victim’s main treasury system.12
S1229 Havoc Havoc can identify privileged user accounts on infected systems.7
G1015 Scattered Spider Scattered Spider has identified vSphere administrator accounts.11
S0445 ShimRatReporter ShimRatReporter listed all non-privileged and privileged accounts available on the machine.5
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.13
S1239 TONESHELL TONESHELL included functionality to retrieve a list of user accounts.8
S1065 Woody RAT Woody RAT can identify administrator accounts on an infected machine.6
S0658 XCSSET XCSSET attempts to discover accounts from various locations such as a user’s Evernote, AppleID, Telegram, Skype, and WeChat data.9

Mitigations

ID Mitigation Description
M1028 Operating System Configuration Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. 4
M1018 User Account Management Manage the creation, modification, use, and permissions associated to user accounts.

References

  1. Amazon. (n.d.). List Users. Retrieved August 11, 2020. 

  2. Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020. 

  3. Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024. 

  4. UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017. 

  5. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  6. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  7. Wan, Y. (2025, March 3). Havoc: SharePoint with Microsoft Graph API turns into FUD C2. Retrieved August 4, 2025. 

  8. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025. 

  9. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  10. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024. 

  11. Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025. 

  12. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. 

  13. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.