Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0303: Local Account Enumeration Across Host Platforms

This detection strategy is tied to ATT&CK technique T1087.001, Local Account, where an adversary enumerates local users and groups to understand what accou...

EnterpriseDET0303Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is tied to ATT&CK technique T1087.001, Local Account, where an adversary enumerates local users and groups to understand what accounts exist on a host. For leaders, the practical issue is not the lookup itself; it is that account discovery often helps an intruder decide where to move next, what identities may be useful, and whether local privileged accounts exist. Because the related technique spans ESXi, Linux, macOS, and Windows, coverage should be validated across host platforms rather than assumed from one operating system’s logging.

Executive priority

Prioritize this as a readiness and visibility question: can the organization prove it can see suspicious local account discovery on critical endpoints, servers, and virtualization hosts? This matters for incident scoping, identity risk decisions, audit evidence around account monitoring, and early containment before follow-on activity. Budget and control discussions should focus on endpoint telemetry consistency, local account governance, and SOC triage quality across supported operating systems.

Technical view

The supplied ATT&CK object has no standalone detection text, but it detects T1087.001 Local Account under the Discovery tactic. SOC and detection engineering teams should validate monitoring for local user and group enumeration behavior on the related platforms: ESXi, Linux, macOS, and Windows. The relationship context specifically references commands/utilities such as Windows net user and net localgroup, and macOS/Linux id and groups. Detection should be tuned to distinguish routine administration, inventory, software management, and user troubleshooting from unusual enumeration patterns, especially when performed by unexpected users, processes, hosts, or during an incident sequence.

Likely telemetry

  • Endpoint process execution telemetry showing local account or group enumeration utilities and command-line arguments
  • Operating system audit logs related to local user and group queries where available
  • Shell or command history telemetry where collected and appropriate
  • EDR or host sensor events for process lineage, user context, parent process, and host identity
  • Authentication and local account management context to distinguish enumeration from legitimate administration

Detection direction

  • Map detections explicitly to T1087.001 rather than treating account enumeration as generic command execution.
  • Validate coverage separately for Windows, Linux, macOS, and ESXi because the related technique spans these platforms and telemetry differs by host type.
  • Include process lineage, user identity, host role, and timing in triage logic to reduce false positives from administrators, scripts, and management tooling.
  • Look for enumeration by unusual users, from unusual parent processes, on sensitive systems, or clustered with other discovery behavior during an investigation.
  • Confirm whether ESXi and non-Windows hosts produce telemetry that reaches the SOC; these are common blind spots when endpoint logging is Windows-centric.

Mitigation priorities

  • Maintain accurate inventory of local accounts and privileged local groups on critical systems.
  • Reduce unnecessary local accounts and remove stale or unmanaged local privileges where business process allows.
  • Standardize host logging and endpoint telemetry collection across the related platforms.
  • Document expected administrative enumeration activity so SOC teams can tune detections without suppressing meaningful anomalies.
  • Ensure incident response playbooks treat unexpected local account enumeration as discovery context that may inform containment, credential review, and host scoping.
Analyst notes and limits

This Glexia take is based on detection strategy DET0303 and its relationship to ATT&CK technique T1087.001 Local Account. The detection strategy object itself does not provide an official description, detection logic, tactics, or platforms; platform and tactic context come from the related technique. Local environment baselines are essential because account enumeration can be legitimate administrative activity.

No official detection text or analytics are supplied for DET0303, so this summary cannot assert specific detection coverage, required log sources, severity, or effectiveness. The relationship supports local account enumeration across ESXi, Linux, macOS, and Windows, but implementation details must be validated against each organization’s logging, endpoint tooling, and administrative practices.

Official MITRE ATT&CK definition

Local Account Enumeration Across Host Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1087.001 Local Account Sub-technique This object detects Local Account.
Relationship explorer

All related ATT&CK context

detects · Technique T1087.001: Local Account Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
82ff8de69920aab3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 82ff8de69920…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0303
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use