title: Account Discovery (T1087)
id: df00tech-t1087
status: experimental
description: "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers. Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment. On Windows, common discovery methods include net user, net localgroup, wmic useraccount list, Get-LocalUser, and Get-ADUser. On Linux and macOS, adversaries may read /etc/passwd, use getent, id, last, and who commands. In cloud environments, CLIs such as aws iam list-users, az ad user list, and gcloud iam service-accounts list are commonly abused. Observed threat actors leveraging this technique include Aquatic Panda, Scattered Spider, FIN13, and malware families such as Woody RAT, Havoc, TONESHELL, and ShimRatReporter."
references:
  - https://attack.mitre.org/techniques/T1087/
  - https://df00tech.com/detections/T1087
author: df00tech
date: 2026/04/17
tags:
  - attack.t1087
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators running net user or Get-ADUser as part of routine account auditing and helpdesk workflows
  - "Endpoint management agents (SCCM, Intune, Tanium) that enumerate local accounts during inventory collection"
  - "Security scanning tools (Nessus, Qualys, CrowdStrike Spotlight) performing authenticated enumeration for vulnerability assessment"
  - "HR and IAM automation scripts that synchronize user lists between directories (e.g., Azure AD Connect, Okta provisioning)"
  - Monitoring and SIEM agents that collect account information for baseline and compliance reporting
  - Developer tools and CI/CD pipelines that resolve user identities during build or deployment processes
level: medium