T1087.001 Local Account Mappings

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as <code>net user</code> and <code>net localgroup</code> of the Net utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-6 Configuration Settings Protects T1087.001 Local Account
CM-7 Least Functionality Protects T1087.001 Local Account
SI-4 System Monitoring Protects T1087.001 Local Account
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1087.001 Local Account
azure_sentinel Azure Sentinel technique_scores T1087.001 Local Account
azure_defender_for_app_service Azure Defender for App Service technique_scores T1087.001 Local Account