T1087 Account Discovery

This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.

This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.

This diagnostic statement provides protection from Account Discovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement protects against Account Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This control provides specific forms of minimal coverage for half of this technique's sub-techniques, but does not address other procedures, resulting in an overall score of Minimal.

This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.

This control only provides protection for one of this technique's sub-techniques while not providing any protection for its procedure examples nor its remaining sub-technqiues and therefore its coverage score factor is Minimal, resulting in a Minimal score.

This control only covers one platform and procedure for one of this technique's sub-techniques, and minimal coverage of its procedure examples resulting in a Minimal overall score.

This control may alert on Azure cloud account discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.

Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral

This control protects against adversaries gaining access to accounts within a specific environment or determining which accounts exists to follow on with malicious behavior. The usage of GCP IAM enables admins to grant access to cloud resources at fine-grained levels, possibly preventing adversaries of malicious use of cloud accounts and gaining access to them. This control receives a minimal score since it only covers one of the few sub-techniques.

Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of domain accounts.

This control can be used to limit permissions to discover user accounts in accordance with least privilege principles and thereby limits the accounts that can be used for account discovery.

Adversaries may attempt to get a listing of cloud accounts that are created and configured by an organization or admin. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.

This control may protect against cloud account discovery but does not mitigate against other forms of account discovery.

Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft's Audit Solutions detects Account Discovery attacks due to the File and Page Audit Log activities which monitors for access to file resources that contain local accounts and groups information and looks for non-admin objects (such as users or processes) attempting to access restricted file resources. License Requirements: Microsoft 365 E3 and E5

This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.

Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct. Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links: Reconnaissance and discovery alerts Persistence and privilege escalation alerts Credential access alerts Lateral movement alerts Other alerts License: A Microsoft 365 security product license entitles customer use of Microsoft Defender XDR.

The RBAC control can be used to partially protect against Cloud Account Discovery, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives an overall score of minimal. License Requirements: ME-ID Built-in Roles (Free)

Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch. Advanced Threat Hunting Detects Account Discovery attacks due to the DeviceProcessEvents table in the advanced hunting schema that contains information about process creation and related events which monitors for processes that can be used to enumerate user accounts and groups. License Requirements: Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2

App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization App Governance Detects Account Discovery attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk License Requirements: Microsoft Defender for Cloud Apps

Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. Information Protection Detects Account Discovery attacks due to Information Protection Detecting when certain files that belong to a specific user group are being accessed excessively by a user who is not part of the group, which could be a potential insider threat. License Requirements: Microsoft Defender for Office 365 plan 1 and plan 2