title: Local Account (T1087.001)
id: df00tech-t1087-001
status: experimental
description: "Adversaries may attempt to get a listing of local system accounts to aid in follow-on behavior such as privilege escalation, lateral movement, or credential access. On Windows, commands such as net user and net localgroup are commonly used. On Linux and macOS, commands such as id, groups, cat /etc/passwd, and dscl . list /Users enumerate local accounts. On ESXi, esxcli system account list retrieves local accounts. This information helps adversaries understand the account landscape, identify high-value targets like local administrators, and plan further attack steps."
references:
  - https://attack.mitre.org/techniques/T1087/001/
  - https://df00tech.com/detections/T1087.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1087.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators running net user or net localgroup for routine account auditing and inventory
  - "Security monitoring tools and vulnerability scanners (Tenable, Qualys, CrowdStrike) that enumerate accounts during assessments"
  - "Software installation and configuration management tools (SCCM, Ansible, Puppet) that validate account configurations"
  - Helpdesk personnel running query user to check active sessions before performing maintenance
  - User provisioning automation scripts that verify account existence before creating or modifying accounts
level: medium