1. Home
  2. ATT&CK Techniques
  3. T1087 Account Discovery

T1087 Account Discovery Mappings

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

View in MITRE ATT&CK®

Intel vPro Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-tdt Intel Threat Detection Technology CrowdStrike AMS T1087 Account Discovery
Comments
Intel Threat Detection Technology (TDT), in combination with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of Account or Domain Account Discovery attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact. Account or Domain Account Discovery techniques involve attackers enumerating user accounts or domain accounts within an organization. By discovering valid user credentials or domain accounts, adversaries can identify targets for further attacks, including lateral movement, privilege escalation, or credential harvesting. These techniques are often used to gather critical information about account structures, access levels, and administrative rights, enabling attackers to plan their next move more effectively. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow at the hardware level. This telemetry helps security teams detect abnormal behaviors, such as unauthorized attempts to query or enumerate user or domain accounts, often indicating reconnaissance or preparation for lateral movement. By continuously monitoring low-level system activities, Intel TDT can quickly detect and alert on suspicious actions targeting account or domain account discovery.
References
  1. https://attack.mitre.org/techniques/T1204/002/
  2. https://www.crowdstrike.com/en-us/blog/falcon-enhances-fileless-attack-detection-with-accelerated-memory-scanning/
  3. https://www.intel.com/content/www/us/en/it-management/intel-it-best-practices/advancing-intels-security-posture-with-crowdstrike.html
  4. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/2022-09/intel-crowdstrike-solution-brief.pdf

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2021-44515 Zoho Desktop Central Authentication Bypass Vulnerability secondary_impact T1087 Account Discovery
Comments
CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
References
  1. https://www.tenable.com/blog/cve-2021-44515-zoho-patches-manageengine-zero-day-exploited-in-the-wild
  2. https://www.ic3.gov/CSA/2021/211220.pdf
CVE-2023-27532 Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability secondary_impact T1087 Account Discovery
Comments
CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools.
References
  1. https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/
  2. https://www.securityweek.com/year-old-veeam-vulnerability-exploited-in-fresh-ransomware-attacks/
  3. https://www.group-ib.com/blog/estate-ransomware/
CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability secondary_impact T1087 Account Discovery
Comments
This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.
References
  1. https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/
  2. https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit
  3. https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
  4. https://www.kb.cert.org/vuls/id/915563

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1087.002 Domain Account 7
T1087.001 Local Account 1