Description
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
Platforms
Sub-Techniques (4)
Mitigations (2)
Operating System ConfigurationM1028
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components >
User Account ManagementM1018
Manage the creation, modification, use, and permissions associated to user accounts.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) used the <code>last</code> command in Linux environments to identify recently logged-in users o... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has identified vSphere administrator accounts.(Citation: Mandiant VMware vSphere JUL 2025) |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has enumerated all users and their roles from a victim's main treasury system.(Citation: Mandiant FIN13... |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S0445 | ShimRatReporter | Tool | [ShimRatReporter](https://attack.mitre.org/software/S0445) listed all non-privileged and privileged accounts available on the machine.(Citation: FOX-I... |
| S1065 | Woody RAT | Malware | [Woody RAT](https://attack.mitre.org/software/S1065) can identify administrator accounts on an infected machine.(Citation: MalwareBytes WoodyRAT Aug 2... |
| S1229 | Havoc | Malware | [Havoc](https://attack.mitre.org/software/S1229) can identify privileged user accounts on infected systems.(Citation: Fortinet Havoc MAR 2025) |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) included functionality to retrieve a list of user accounts.(Citation: Zscaler) |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, S... |
References
- Amazon. (n.d.). List Users. Retrieved August 11, 2020.
- Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.
- Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1087 (Account Discovery)?
T1087 is a MITRE ATT&CK technique named 'Account Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which account...
How can T1087 be detected?
Detection of T1087 (Account Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1087?
There are 2 documented mitigations for T1087. Key mitigations include: Operating System Configuration, User Account Management.
Which threat groups use T1087?
Known threat groups using T1087 include: Aquatic Panda, Scattered Spider, FIN13.