T1087 Account Discovery
Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
| Item | Value |
|---|---|
| ID | T1087 |
| Sub-techniques | T1087.001, T1087.002, T1087.003, T1087.004 |
| Tactics | TA0007 |
| CAPEC ID | CAPEC-575 |
| Platforms | Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS |
| Permissions required | User |
| Version | 2.3 |
| Created | 31 May 2017 |
| Last Modified | 13 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 | APT29 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.5 |
| S0445 | ShimRatReporter | ShimRatReporter listed all non-privileged and privileged accounts available on the machine.3 |
| S0658 | XCSSET | XCSSET attempts to discover accounts from various locations such as a user’s Evernote, AppleID, Telegram, Skype, and WeChat data.4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1028 | Operating System Configuration | Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. 2 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0009 | Process | Process Creation |
References
-
Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. ↩
-
UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017. ↩
-
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. ↩
-
Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. ↩
-
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. ↩