T1087 Account Discovery
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
|Sub-techniques||T1087.001, T1087.002, T1087.003, T1087.004|
|Platforms||Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS|
|Created||31 May 2017|
|Last Modified||15 April 2023|
|S0445||ShimRatReporter||ShimRatReporter listed all non-privileged and privileged accounts available on the machine.3|
|C0024||SolarWinds Compromise||During the SolarWinds Compromise, APT29 obtained a list of users and their roles from an Exchange server using
|S1065||Woody RAT||Woody RAT can identify administrator accounts on an infected machine.4|
|S0658||XCSSET||XCSSET attempts to discover accounts from various locations such as a user’s Evernote, AppleID, Telegram, Skype, and WeChat data.5|
|M1028||Operating System Configuration||Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located
|ID||Data Source||Data Component|
Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. ↩