Skip to content

T1087 Account Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

Item Value
ID T1087
Sub-techniques T1087.001, T1087.002, T1087.003, T1087.004
Tactics TA0007
Platforms Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Version 2.4
Created 31 May 2017
Last Modified 15 April 2023

Procedure Examples

ID Name Description
S0445 ShimRatReporter ShimRatReporter listed all non-privileged and privileged accounts available on the machine.3
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.6
S1065 Woody RAT Woody RAT can identify administrator accounts on an infected machine.4
S0658 XCSSET XCSSET attempts to discover accounts from various locations such as a user’s Evernote, AppleID, Telegram, Skype, and WeChat data.5

Mitigations

ID Mitigation Description
M1028 Operating System Configuration Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. 2

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0009 Process Process Creation

References