T1087 Account Discovery Mappings

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-06 Configuration Settings Protects T1087 Account Discovery
CM-07 Least Functionality Protects T1087 Account Discovery
SI-04 System Monitoring Protects T1087 Account Discovery
PUR-IP-E5 Information Protection Technique Scores T1087 Account Discovery
PUR-AS-E5 Audit Solutions Technique Scores T1087 Account Discovery
ME-RBAC-E3 Role Based Access Control Technique Scores T1087 Account Discovery
DEF-SECA-E3 Security Alerts Technique Scores T1087 Account Discovery
DO365-AG-E5 App Governance Technique Scores T1087 Account Discovery
DO365-ATH-E5 Advanced Threat Hunting Technique Scores T1087 Account Discovery

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1087.002 Domain Account 4
T1087.001 Local Account 3
T1087.004 Cloud Account 12