#T1087.001 Local Account

Technique

  • Tactics: Discovery
  • Description:

    Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

    Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS, the <code>dscl . list /Users</code> command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)

  • First Seen: Lazarus Group Recruitment: Threat Hunters vs Head Hunters • 2021-04-27
MITRE ATT&CK

Tagged Reports

2026-01-20
Picus Security
#Bluenoroff #T1593 #T1589 #T1543.001 #T1562.001 #T1059.002 #T1016 #T1059.005 #T1018 #T1566.003 #T1552.001 #T1583.003 #T1027.002 #T1204.004 #T1082 #T1548.002 #T1598.001 #T1074.001 #T1087.001 #T1547.001 #T1588.002 #T1005 #T1059.007 #T1587.001 #T1056.002 #T1176.001 #T1071.001 #T1543.004 #T1055 #T1027.010 #T1583.001 #T1036.005 #T1566.002 #T1548.006 #T1657
2025-08-29
Seqrite
#APT37 #LNK #RokRAT #T1102.002 #T1123 #T1027.013 #T1082 #T1566.001 #T1529 #T1087.001 #T1547.001 #T1140 #T1027.009 #T1005 #T1204.001 #T1070.004 #T1053.005 #T1041 #T1056.002 #T1113 #T1204.002 #T1055.009 #T1574.001 #T1055.001 #T1083 #T1059.001 #T1217
2025-08-18
Trellix
#Kimsuky #LNK #Phishing #XenoRAT #T1134 #T1102.002 #T1059.005 #T1106 #T1027 #T1568 #T1082 #T1566.001 #T1087.001 #T1567.002 #T1102.003 #T1053.005 #T1071.004 #T1204.002 #T1105 #T1071.001 #T1112 #T1083 #T1059.001 #T1569 #T1033 #T1036.005 #T1566.002 #T1569.002
2025-04-24
Kaspersky
#Innorix #LPEClient #Lazarus #SIGNBT #SyncHole #ThreatNeedle #AGAMEMNON #CrossEX #T1190 #T1027.013 #T1016 #T1570 #T1543.003 #T1583.003 #T1057 #T1082 #T1573.001 #T1218.011 #T1087.001 #T1620 #T1135 #T1049 #T1140 #T1087.002 #T1027.009 #T1608.004 #T1105 #T1071.001 #T1574.001 #T1574.002 #T1547.005 #T1083 #T1583.001 #T1007 #T1564.004 #T1573.002 #T1189 #T1584.001 #T1569.002
2024-07-15
Darkatlas
#Kimsuky #TrollAgent #T1005 #T1518.001 #T1059.003 #T1070.004 #T1083 #T1036 #T1539 #T1041 #T1113 #T1016 #T1555.003 #T1218.011 #T1087.001 #T1027.002 #T1071.001 #T1057 #T1082
2024-02-08
S2W
#D2Innovation #TrollStealer #Kimsuky #T1005 #T1518.001 #T1059.003 #T1083 #T1539 #T1059.001 #T1041 #T1588.004 #T1113 #T1016 #T1560 #T1555.003 #T1204.002 #T1087.001 #T1027.002 #T1071.001 #T1057 #T1082
2024-02-07
S2W
#D2Innovation #TrollStealer #Kimsuky #T1005 #T1518.001 #T1059.003 #T1083 #T1539 #T1059.001 #T1041 #T1588.004 #T1113 #T1016 #T1560 #T1555.003 #T1204.002 #T1087.001 #T1027.002 #T1071.001 #T1057 #T1082
2023-04-14
Attack IQ
#SupplyChain #3CXDesktopApp #SmoothOperator #T1055 #T1069.001 #T1543.003 #T1012 #T1016.001 #T1547.002 #T1087.001 #T1620 #T1049 #T1105 #T1071.001 #T1070.006 #T1574.001 #T1057 #T1082
2023-02-23
ESET
#Wslink #T1134.002 #T1012 #T1016 #T1106 #T1057 #T1082 #T1614 #T1614.001 #T1087.001 #T1135 #T1049 #T1087.002 #T1005 #T1070.004 #T1587.001 #T1531 #T1083 #T1059.001 #T1033 #T1560.002
2021-04-27
Ptsecurity
#DreamJob #T1136 #T1047 #T1012 #T1016 #T1106 #T1027 #T1566.003 #T1543.003 #T1132.002 #T1057 #T1082 #T1059.003 #T1218.011 #T1087.001 #T1135 #T1070.004 #T1069.002 #T1564.001 #T1021.002 #T1071.001 #T1033 #T1547.009
« Back