Home
ATT&CK Techniques
T1087 Account Discovery

T1087 Account Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.PS-01.01	Configuration baselines	Mitigates	T1087	Account Discovery	Comments This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. References
PR.PS-01.02	Least functionality	Mitigates	T1087	Account Discovery	Comments This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. References
PR.PS-01.03	Configuration deviation	Mitigates	T1087	Account Discovery	Comments This diagnostic statement provides protection from Account Discovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges. References
PR.AA-01.02	Physical and logical access	Mitigates	T1087	Account Discovery	Comments This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. References
PR.AA-01.01	Identity and credential management	Mitigates	T1087	Account Discovery	Comments This diagnostic statement protects against Account Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CM-06	Configuration Settings	mitigates	T1087	Account Discovery
CM-07	Least Functionality	mitigates	T1087	Account Discovery
SI-04	System Monitoring	mitigates	T1087	Account Discovery
AC-02	Account Management	mitigates	T1087	Account Discovery

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.hacking.variety.Profile host	Enumerating the state of the current host	related-to	T1087	Account Discovery

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
alerts_for_windows_machines	Alerts for Windows Machines	technique_scores	T1087	Account Discovery	Comments This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines
azure_role_based_access_control	Azure Role-Based Access Control	technique_scores	T1087	Account Discovery	Comments This control only provides protection for one of this technique's sub-techniques while not providing any protection for its procedure examples nor its remaining sub-technqiues and therefore its coverage score factor is Minimal, resulting in a Minimal score. References https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
defender_for_app_service	Microsoft Defender for Cloud: Defender for App Service	technique_scores	T1087	Account Discovery	Comments This control only covers one platform and procedure for one of this technique's sub-techniques, and minimal coverage of its procedure examples resulting in a Minimal overall score. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction https://azure.microsoft.com/en-us/services/app-service/ https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
defender_for_resource_manager	Microsoft Defender for Resource Manager	technique_scores	T1087	Account Discovery	Comments This control may alert on Azure cloud account discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-resource-manager-introduction https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-resourcemanager

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
google_secops	Google Security Operations	technique_scores	T1087	Account Discovery	Comments Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']
identity_and_access_management	Identity and Access Management	technique_scores	T1087	Account Discovery	Comments This control protects against adversaries gaining access to accounts within a specific environment or determining which accounts exists to follow on with malicious behavior. The usage of GCP IAM enables admins to grant access to cloud resources at fine-grained levels, possibly preventing adversaries of malicious use of cloud accounts and gaining access to them. This control receives a minimal score since it only covers one of the few sub-techniques. References ['https://cloud.google.com/iam']
identity_platform	Identity Platform	technique_scores	T1087	Account Discovery	Comments Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of domain accounts. References ['https://cloud.google.com/identity-platform/docs/concepts']
policy_intelligence	Policy Intelligence	technique_scores	T1087	Account Discovery	Comments This control can be used to limit permissions to discover user accounts in accordance with least privilege principles and thereby limits the accounts that can be used for account discovery. References ['https://cloud.google.com/policy-intelligence']
resource_manager	Resource Manager	technique_scores	T1087	Account Discovery	Comments Adversaries may attempt to get a listing of cloud accounts that are created and configured by an organization or admin. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts. References ['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy']

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
aws_organizations	AWS Organizations	technique_scores	T1087	Account Discovery	Comments This control may protect against cloud account discovery but does not mitigate against other forms of account discovery. References https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html https://aws.amazon.com/organizations/getting-started/best-practices/

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1087.002	Domain Account	9
T1087.001	Local Account	9
T1087.004	Cloud Account	19