Skip to content

T1087 Account Discovery

Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.

Item Value
ID T1087
Sub-techniques T1087.001, T1087.002, T1087.003, T1087.004
Tactics TA0007
CAPEC ID CAPEC-575
Platforms Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Permissions required User
Version 2.3
Created 31 May 2017
Last Modified 13 October 2021

Procedure Examples

ID Name Description
G0016 APT29 APT29 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.5
S0445 ShimRatReporter ShimRatReporter listed all non-privileged and privileged accounts available on the machine.3
S0658 XCSSET XCSSET attempts to discover accounts from various locations such as a user’s Evernote, AppleID, Telegram, Skype, and WeChat data.4

Mitigations

ID Mitigation Description
M1028 Operating System Configuration Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. 2

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0009 Process Process Creation

References

Back to top