Description
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user and net localgroup of the Net utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS, the dscl . list /Users command can be used to enumerate local accounts. On ESXi servers, the esxcli system account list command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
Platforms
Mitigations (1)
Operating System ConfigurationM1028
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components
Threat Groups (18)
| ID | Group | Context |
|---|---|---|
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs account discovery using commands such as <code>net localgroup administrators</code> and <co... |
| G1009 | Moses Staff | [Moses Staff](https://attack.mitre.org/groups/G1009) has collected the administrator username from a compromised host.(Citation: Checkpoint MosesStaff... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has leveraged `net user` for account discovery.(Citation: Broadcom Medusa Ransomware Medusa Grou... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has run <code>net user</code>, <code>net user /domain</code>, <code>net group “domain admins” /domain<... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used built-in <code>net</code> commands to enumerate local administrator groups.(Citation: Rostovcev AP... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has used commands such as `net` to profile local system users.(Citation: Cisco LotusBlossom 202... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) enumerated administrative users using the commands <code>net localgroup administrators</code>.(Citation... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has executed `net user` and `quser` to enumerate local account information.(Citation: CISA AA24-... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has used the PowerShell-based POWERPOST script to collect local account names from the victim machine.(... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has collected information about local accounts.(Citation: group-ib_redcurl1)(Citation: group-ib_redcu... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>net user</code> for account discovery.(Citation: NCC Group Chimera January 2021) |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>net user</code> to enumerate local accounts on the system.(Citation: ESET ComRAT May 202... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has accessed ntuser.dat and UserClass.dat on compromised hosts.(Citation: CISA AA20-259A Iran-Base... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has used a tool that can obtain info about local and global group users, power users, and administrators... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used <code>net user</code> to conduct internal discovery of systems.(Citation: SecureWo... |
| G0033 | Poseidon Group | [Poseidon Group](https://attack.mitre.org/groups/G0033) searches for administrator accounts on both the local victim machine and the network.(Citation... |
| G0018 | admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following commands following exploitation of a machine with [LOWBALL](https://attac... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) used the commands <code>net localgroup</code>,<code>net user</code>, and <code>net group</code> to find ... |
Associated Software (45)
| ID | Name | Type | Context |
|---|---|---|---|
| S0452 | USBferry | Malware | [USBferry](https://attack.mitre.org/software/S0452) can use <code>net user</code> to gather information about local accounts.(Citation: TrendMicro Tro... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) can collect account information from the victim’s machine.(Citation: DigiTrust Agent Tesla Jan ... |
| S0236 | Kwampirs | Malware | [Kwampirs](https://attack.mitre.org/software/S0236) collects a list of accounts with the command <code>net users</code>.(Citation: Symantec Orangeworm... |
| S0039 | Net | Tool | Commands under <code>net user</code> can be used in [Net](https://attack.mitre.org/software/S0039) to gather information about and manipulate user acc... |
| S9001 | SystemBC | Malware | [SystemBC](https://attack.mitre.org/software/S9001) has collected the Windows account username on the victim machine.(Citation: SophosGnGal_SystemBC_D... |
| S0196 | PUNCHBUGGY | Malware | [PUNCHBUGGY](https://attack.mitre.org/software/S0196) can gather user names.(Citation: Morphisec ShellTea June 2019) |
| S1146 | MgBot | Malware | [MgBot](https://attack.mitre.org/software/S1146) includes modules for identifying local administrator accounts on victim systems.(Citation: Symantec D... |
| S0223 | POWERSTATS | Malware | [POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve usernames from compromised hosts.(Citation: FireEye MuddyWater Mar 2018) |
| S0038 | Duqu | Malware | The discovery modules used with [Duqu](https://attack.mitre.org/software/S0038) can collect information on accounts and permissions.(Citation: Symante... |
| S0049 | GeminiDuke | Malware | [GeminiDuke](https://attack.mitre.org/software/S0049) collects information on local user accounts from the victim.(Citation: F-Secure The Dukes) |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can list all local users found on a targeted system.(Citation: Trend Micro Agenda Ransomware AUG 2022... |
| S0165 | OSInfo | Malware | [OSInfo](https://attack.mitre.org/software/S0165) enumerates local and domain users(Citation: Symantec Buckeye) |
| S0063 | SHOTPUT | Malware | [SHOTPUT](https://attack.mitre.org/software/S0063) has a command to retrieve information about connected users.(Citation: Palo Alto CVE-2015-3113 July... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) can enumerate local and domain user account information.(Citation: GitHub PoshC2) |
| S0244 | Comnie | Malware | [Comnie](https://attack.mitre.org/software/S0244) uses the <code>net user</code> command.(Citation: Palo Alto Comnie) |
| S1159 | DUSTTRAP | Malware | [DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate local user accounts.(Citation: Google Cloud APT41 2024) |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) has collected account information from the victim’s machine.(Citation: Proofpoint RedLine S... |
| S0521 | BloodHound | Tool | [BloodHound](https://attack.mitre.org/software/S0521) can identify users with local administrator rights.(Citation: CrowdStrike BloodHound April 2018) |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has queried the victim device using Python scripts to obtain the User and Hostname.(Citatio... |
| S1145 | Pikabot | Malware | [Pikabot](https://attack.mitre.org/software/S1145) will retrieve the name of the user associated with the thread under which the malware is executing.... |
References
- MacKenzie, D. and Robbins, A. (n.d.). id(1) - Linux man page. Retrieved January 11, 2024.
- MacKenzie, D. and Youngman, J. (n.d.). groups(1) - Linux man page. Retrieved January 11, 2024.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
- Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1087.001 (Local Account)?
T1087.001 is a MITRE ATT&CK technique named 'Local Account'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such a...
How can T1087.001 be detected?
Detection of T1087.001 (Local Account) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1087.001?
There are 1 documented mitigations for T1087.001. Key mitigations include: Operating System Configuration.
Which threat groups use T1087.001?
Known threat groups using T1087.001 include: Ke3chang, Moses Staff, Medusa Group, OilRig, APT41, Lotus Blossom, APT32, Volt Typhoon.