1. Home
  2. ATT&CK Techniques
  3. T1087 Account Discovery

T1087 Account Discovery Mappings

Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-6 Configuration Settings Protects T1087 Account Discovery
CM-7 Least Functionality Protects T1087 Account Discovery
SI-4 System Monitoring Protects T1087 Account Discovery
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1087 Account Discovery
Comments
This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows
azure_defender_for_resource_manager Azure Defender for Resource Manager technique_scores T1087 Account Discovery
Comments
This control may alert on Azure cloud account discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager
azure_sentinel Azure Sentinel technique_scores T1087 Account Discovery
Comments
This control provides specific forms of minimal coverage for half of this technique's sub-techniques, but does not address other procedures, resulting in an overall score of Minimal.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1087 Account Discovery
Comments
This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
  1. https://docs.microsoft.com/en-us/defender-for-identity/what-is
role_based_access_control Role Based Access Control technique_scores T1087 Account Discovery
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for its procedure examples nor its remaining sub-technqiues and therefore its coverage score factor is Minimal, resulting in a Minimal score.
References
  1. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
azure_defender_for_app_service Azure Defender for App Service technique_scores T1087 Account Discovery
Comments
This control only covers one platform and procedure for one of this technique's sub-techniques, and minimal coverage of its procedure examples resulting in a Minimal overall score.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
  2. https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction
  3. https://azure.microsoft.com/en-us/services/app-service/
  4. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1087.004 Cloud Account 8
T1087.002 Domain Account 6
T1087.003 Email Account 1
T1087.001 Local Account 6