1. Home
  2. ATT&CK Techniques
  3. T1087 Account Discovery

T1087 Account Discovery Mappings

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1087 Account Discovery

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1087 Account Discovery
Comments
Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']
identity_and_access_management Identity and Access Management technique_scores T1087 Account Discovery
Comments
This control protects against adversaries gaining access to accounts within a specific environment or determining which accounts exists to follow on with malicious behavior. The usage of GCP IAM enables admins to grant access to cloud resources at fine-grained levels, possibly preventing adversaries of malicious use of cloud accounts and gaining access to them. This control receives a minimal score since it only covers one of the few sub-techniques.
References
  1. ['https://cloud.google.com/iam']
identity_platform Identity Platform technique_scores T1087 Account Discovery
Comments
Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of domain accounts.
References
  1. ['https://cloud.google.com/identity-platform/docs/concepts']
policy_intelligence Policy Intelligence technique_scores T1087 Account Discovery
Comments
This control can be used to limit permissions to discover user accounts in accordance with least privilege principles and thereby limits the accounts that can be used for account discovery.
References
  1. ['https://cloud.google.com/policy-intelligence']
resource_manager Resource Manager technique_scores T1087 Account Discovery
Comments
Adversaries may attempt to get a listing of cloud accounts that are created and configured by an organization or admin. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
References
  1. ['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy']

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_organizations AWS Organizations technique_scores T1087 Account Discovery
Comments
This control may protect against cloud account discovery but does not mitigate against other forms of account discovery.
References
  1. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html
  2. https://aws.amazon.com/organizations/getting-started/best-practices/

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1087.002 Domain Account 1
T1087.001 Local Account 1
T1087.004 Cloud Account 7