Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-06 | Configuration Settings | Protects | T1087 | Account Discovery |
| CM-07 | Least Functionality | Protects | T1087 | Account Discovery |
| SI-04 | System Monitoring | Protects | T1087 | Account Discovery |
| PUR-IP-E5 | Information Protection | Technique Scores | T1087 | Account Discovery |
| PUR-AS-E5 | Audit Solutions | Technique Scores | T1087 | Account Discovery |
| ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1087 | Account Discovery |
| DEF-SECA-E3 | Security Alerts | Technique Scores | T1087 | Account Discovery |
| DO365-AG-E5 | App Governance | Technique Scores | T1087 | Account Discovery |
| DO365-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1087 | Account Discovery |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1087.002 | Domain Account | 4 |
| T1087.001 | Local Account | 3 |
| T1087.004 | Cloud Account | 12 |