T1087: Account Discovery
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.[1][2] On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
Analyst context for executives and security teams
Account Discovery is often an early sign that an intruder is mapping who exists in the environment before choosing higher-value targets for password attacks, phishing, or account takeover. Its business significance is that a simple user or email listing can turn one compromised host, cloud session, or SaaS account into a broader identity-driven incident.
Executive priority
Treat this as an identity and visibility priority, not just endpoint command noise. Leaders should ask whether account enumeration is logged consistently across Windows, Linux, macOS, ESXi, cloud IAM, identity providers, Office suites, and SaaS applications, and whether incident teams can distinguish normal administration from unusual discovery. The control priority is strong user account management, least-privilege account lifecycle practices, and hardened operating system configurations where built-in enumeration paths are unnecessary or overly exposed.
Technical view
ATT&CK lists Account Discovery under Discovery across ESXi, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, and Windows. The parent technique covers enumeration of valid accounts, usernames, and email addresses, with sub-techniques for local, domain, email, and cloud accounts. Because the official detection text is not provided, SOC teams should validate coverage against the related detection strategy DET0587, "Enumeration of User or Account Information Across Platforms," and test whether telemetry captures command-line, PowerShell, cloud IAM/API, identity provider, email directory, and SaaS account-listing activity. IR teams should treat confirmed enumeration as context for follow-on Valid Accounts risk, brute force, spear-phishing, or account takeover investigation, without assuming compromise impact from enumeration alone.
Likely telemetry
- Endpoint process creation and command-line activity on Windows, Linux, macOS, and ESXi where available
- PowerShell activity related to account, group, directory, or email address listing
- Authentication and authorization logs from identity providers
- Cloud IAM/API audit logs, including user and service-account listing activity where applicable
- Office suite and email platform audit logs for address list or account enumeration
Detection direction
- Validate whether DET0587-style account enumeration analytics exist across endpoint, cloud, identity provider, Office suite, and SaaS data sources rather than only on Windows hosts.
- Tune detections around unusual account-listing behavior by source user, host, role, timing, volume, and environment context; normal administrators and automated inventory tools can create false positives.
- Correlate account discovery with prior suspicious authentication, new or unusual sessions, privilege changes, command execution, or subsequent attempts against Valid Accounts.
- Check blind spots in cloud and SaaS audit retention, service-account visibility, PowerShell logging, macOS/Linux command telemetry, and ESXi administrative logging.
- Separate local, domain, email, and cloud account discovery use cases because each relies on different telemetry and ownership teams.
Mitigation priorities
- Prioritize M1018 User Account Management: maintain accurate account lifecycle controls, remove stale accounts, and enforce least privilege to reduce the value of enumeration.
- Review roles and permissions that allow broad user, service-account, group, or address-list visibility, especially in cloud, identity provider, Office suite, and SaaS environments.
- Apply M1028 Operating System Configuration by hardening default OS settings and reducing unnecessary features or exposures that make account information easier to enumerate.
- Ensure incident response playbooks define when account discovery triggers credential reset, session review, privilege review, or broader identity investigation.
- Use detection validation exercises to prove that account enumeration is visible across the platforms actually used by the organization.
Analyst notes and limits
Relationship context shows this technique is used by multiple campaigns, groups, and software entries, and has four sub-techniques covering local, domain, email, and cloud accounts. These relationships support treating Account Discovery as a common enabling behavior, but they do not by themselves indicate current activity in any specific environment.
The official ATT&CK object provides no detection text, so detection guidance is based on the technique description, platforms, sub-technique relationships, the DET0587 detection-strategy relationship, and listed mitigations. Local architecture, logging configuration, administrative workflows, and cloud/SaaS audit capabilities are required to determine actual coverage.
Account Discovery
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.[1][2] On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1087.003 | Email Account Sub-technique | Email Account subtechnique of this object. |
| Enterprise | T1087.004 | Cloud Account Sub-technique | Cloud Account subtechnique of this object. |
| Enterprise | T1087.002 | Domain Account Sub-technique | Domain Account subtechnique of this object. |
| Enterprise | T1087.001 | Local Account Sub-technique | Local Account subtechnique of this object. |
Groups, software, and campaigns
G0143: Aquatic Panda
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
G1016: FIN13
S0445: ShimRatReporter
ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.[1]
S1065: Woody RAT
S1229: Havoc
Havoc is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it with community contributors. Havoc provides a wide range of offensive security capabilities and has been adopted by multiple threat actors to establish and maintain control over compromised systems.
S1239: TONESHELL
S0658: XCSSET
XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]
C0062: Anthropic AI-orchestrated Campaign
The Anthropic AI-orchestrated Campaign was conducted in September 2025 by a likely China nexus espionage actor identified as GTG-1002. The Anthropic AI-orchestrated Campaign was a highly coordinated operation that manipulated Claude Code to perform reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations at approximately 30 entities in the technology, financial, chemical, and government sectors. During the Anthropic AI-orchestrated Campaign, human operators used Claude Code agents and Model Context Protocol (MCP) tools to automate cyber operations. Operators broke attacks into discrete tasks, used crafted prompts, and established personas to bypass AI guardrails, enabling the agents to execute the operations with minimal human involvement.[1][2]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.6 | Current bundle | be431b2c00ce… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
AWS List Users
Amazon. (n.d.). List Users. Retrieved August 11, 2020.
Open source URL -
[2]
Google Cloud - IAM Servie Accounts List API
Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.
Open source URL -
[3]
Elastic - Koadiac Detection with EQL
Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.
Open source URL -
[4]
mitre-attack T1087Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.