Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-04 | OS Hardening and Base Controls | mitigates | T1087 | Account Discovery |
Comments
This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Preventing accounts from being enumerated and limiting accessible interfaces to obtain user lists can prevent adversaries from identifying valid email addresses and account names.
References
|
| UEM-05 | Endpoint Management | mitigates | T1087 | Account Discovery |
Comments
This control provides for the implementation of best practices for endpoint management. Adjusting access to user lists can prevent abuse of system functionality and help prevent adversaries from getting a listing of valid accounts or usernames.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1087 | Account Discovery |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Adjusting access to user lists can prevent abuse of system functionality and help prevent adversaries from getting a listing of valid accounts or usernames.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1087.004 | Cloud Account | 1 |