Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g.,Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.[1][2] On hosts, adversaries can use defaultPowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
| ID | Name | Description |
|---|---|---|
| G0143 | Aquatic Panda | Aquatic Panda used the |
| G1016 | FIN13 | FIN13 has enumerated all users and their roles from a victim's main treasury system.[4] |
| S1229 | Havoc | Havoc can identify privileged user accounts on infected systems.[5] |
| G1015 | Scattered Spider | Scattered Spider has identified vSphere administrator accounts.[6] |
| S0445 | ShimRatReporter | ShimRatReporter listed all non-privileged and privileged accounts available on the machine.[7] |
| C0024 | SolarWinds Compromise | During theSolarWinds Compromise,APT29 obtained a list of users and their roles from an Exchange server using |
| S1239 | TONESHELL | TONESHELL included functionality to retrieve a list of user accounts.[9] |
| S1065 | Woody RAT | Woody RAT can identify administrator accounts on an infected machine.[10] |
| S0658 | XCSSET | XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data.[11] |
| ID | Mitigation | Description |
|---|---|---|
| M1028 | Operating System Configuration | Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located |
| M1018 | User Account Management | Manage the creation, modification, use, and permissions associated to user accounts. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0587 | Enumeration of User or Account Information Across Platforms | AN1612 | Detection of suspicious enumeration of local or domain accounts via command-line tools, WMI, or scripts. |
| AN1613 | Enumeration of users and groups through suspicious shell commands or unauthorized access to /etc/passwd or /etc/shadow. | ||
| AN1614 | Detection of user account enumeration through tools like dscl, dscacheutil, or loginshell enumeration via command-line. | ||
| AN1615 | Detection of API calls listing users, IAM roles, or groups in cloud environments. | ||
| AN1616 | Enumeration of user or role objects via IdP API endpoints or LDAP queries. | ||
| AN1617 | Account enumeration via esxcli, vim-cmd, or API calls to vSphere. | ||
| AN1618 | Account enumeration via bulk access to user directory features or hidden APIs. | ||
| AN1619 | Account discovery via VBA macros, COM objects, or embedded scripting. |