#T1087 Account Discovery

Technique

  • Tactics: Discovery
  • Description:

    Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

    Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

    For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

  • First Seen: Lazarus Group • 2017-05-31
MITRE ATT&CK

Tagged Reports

2026-02-03
Red Asgard
#ContagiousInterview #Lazarus #T1566.003 #T1552.001 #T1114 #T1027.002 #T1573.001 #T1098 #T1547.001 #T1530 #T1496 #T1005 #T1053.005 #T1113 #T1219 #T1560 #T1204.002 #T1102.001 #T1071.001 #T1087 #T1573.002 #T1555.003 #T1056.001 #T1497.001
2024-07-31
Attack IQ
#Andariel #Blacksmith #T1562 #T1069 #T1047 #T1012 #T1016 #T1018 #T1543.003 #T1136.001 #T1654 #T1057 #T1082 #T1518.001 #T1003.001 #T1098 #T1049 #T1105 #T1087 #T1083 #T1033 #T1003
2024-07-26
Picus Security
#Andariel #T1087 #T1190 #T1083 #T1572 #T1090 #T1027 #T1567 #T1048 #T1021 #T1071 #T1059 #T1003
2024-07-26
Attack IQ
#Andariel #T1087 #T1082 #T1083 #T1053.005 #T1021.001 #T1048 #T1049 #T1105 #T1087.002 #T1003
2024-07-25
USCISA
#YARA #Andariel #T1190 #T1027 #T1595 #T1048 #T1592 #T1567 #T1071 #T1572 #T1591 #T1090 #T1021 #T1587.001 #T1560 #T1021.002 #T1039 #T1587.004 #T1087 #T1083 #T1040 #T1059 #T1596 #T1003
2024-07-19
Cyfirma
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1562.001 #T1190 #T1068 #T1543.003 #T1056 #T1595.002 #T1059.003 #T1566 #T1485 #T1218.011 #T1069.002 #T1010 #T1571 #T1102.001 #T1583.001 #T1555.003 #T1033 #T1497.001 #T1203 #T1036 #T1012 #T1027 #T1583.003 #T1071 #T1562.004 #T1614 #T1027.005 #T1548 #T1552 #T1140 #T1005 #T1053.005 #T1564.001 #T1555 #T1129 #T1070.001 #T1046 #T1070 #T1095 #T1569.002 #T1562 #T1573 #T1047 #T1552.001 #T1057 #T1082 #T1518.001 #T1176 #T1090 #T1518 #T1539 #T1041 #T1564 #T1560 #T1202 #T1071.001 #T1547 #T1112 #T1497 #T1059.001 #T1124 #T1056.001 #T1222 #T1070.006 #T1059 #T1564.003 #T1222.001 #T1056.004 #T1547.001 #T1584 #T1087.002 #T1070.004 #T1505.003 #T1113 #T1608.005 #T1204.002 #T1087 #T1574.002 #T1115 #T1083 #T1490 #T1053 #T1486 #T1566.002 #T1133 #T1021.004 #T1003
2023-08-24
Cisco Talos
#CVE-2022-47966 #QuiteRAT #T1087 #T1082
2023-04-26
Attack IQ
#Kimsuky #T1047 #T1016 #T1057 #T1082 #T1518.001 #T1074.001 #T1218.011 #T1547.001 #T1140 #T1053.005 #T1041 #T1105 #T1071.001 #T1218.010 #T1087 #T1115 #T1083 #T1033 #T1056.001 #T1048.002
2022-09-08
Cisco Talos
#VSingle #MagicRAT #YamaBot #T1562 #T1136 #T1190 #T1608 #T1543 #T1082 #T1090 #T1021 #T1140 #T1518 #T1219 #T1560 #T1547 #T1590 #T1087 #T1070 #T1083 #T1053 #T1033 #T1003
2022-04-29
PWC
#Trend #BlackBanshee #BlackAlicanto #T1589 #T1069 #T1190 #T1608 #T1036 #T1573 #T1036.007 #T1059.005 #T1068 #T1027 #T1570 #T1595 #T1048 #T1592 #T1615 #T1071 #T1482 #T1057 #T1082 #T1056 #T1059.003 #T1221 #T1566.001 #T1566 #T1074.001 #T1614.001 #T1016.001 #T1591 #T1548 #T1090 #T1547.001 #T1620 #T1049 #T1021 #T1135 #T1005 #T1078 #T1204.001 #T1070.004 #T1053.005 #T1041 #T1113 #T1132.001 #T1555 #T1560 #T1204.002 #T1105 #T1071.001 #T1039 #T1132 #T1547 #T1112 #T1070 #T1087 #T1083 #T1486 #T1124 #T1033 #T1210 #T1110 #T1095 #T1204 #T1059 #T1003
2020-08-26
USCISA
#BeagleBoyz #FASTCash2 #T1190 #T1562.001 #T1565.002 #T1543.003 #T1552.004 #T1056 #T1119 #T1565.003 #T1553.002 #T1485 #T1199 #T1021 #T1078 #T1010 #T1014 #T1574.001 #T1033 #T1203 #T1036 #T1012 #T1016 #T1059.005 #T1106 #T1027 #T1102 #T1071 #T1053.004 #T1027.005 #T1049 #T1140 #T1005 #T1129 #T1105 #T1110 #T1095 #T1489 #T1569.002 #T1573 #T1057 #T1082 #T1561.002 #T1518.001 #T1566.001 #T1548.003 #T1090 #T1041 #T1219 #T1560 #T1202 #T1562.003 #T1059.001 #T1189 #T1204 #T1070.006 #T1059 #T1101 #T1565.001 #T1056.004 #T1098 #T1547.001 #T1053.003 #T1562.006 #T1070.004 #T1505.003 #T1070.003 #T1113 #T1132.001 #T1020 #T1021.002 #T1218.001 #T1055 #T1087 #T1115 #T1083 #T1053 #T1486 #T1133 #T1021.001 #T1217
2020-07-29
Mcafee
#NorthStar #T1547 #T1087 #T1221 #T1566.001 #T1573 #T1129 #T1027 #T1033 #T1566.002 #T1566.003 #T1218 #T1204 #T1059 #T1082
2020-06-17
ESET
#Inception #T1047 #T1036 #T1012 #T1106 #T1018 #T1027 #T1050 #T1114 #T1048 #T1071 #T1086 #T1537 #T1082 #T1085 #T1117 #T1002 #T1035 #T1140 #T1078 #T1005 #T1116 #T1194 #T1220 #T1087 #T1070 #T1053 #T1110 #T1204 #T1059
2020-05-09
dinu135dk
#COVID-19 #Lazarus #T1047 #T1036 #T1106 #T1027 #T1057 #T1082 #T1056 #T1140 #T1032 #T1105 #T1022 #T1063 #T1087 #T1115 #T1497 #T1138 #T1124 #T1033 #T1045
2019-11-12
Strangereal Intel
#T1012 #T1016 #T1086 #T1179 #T1082 #T1057 #T1085 #T1089 #T1049 #T1005 #T1010 #T1022 #T1055 #T1060 #T1112 #T1115 #T1087 #T1132 #T1064 #T1124 #T1059 #Lazarus
« Back