EXPLORE
Sign In
← Back to Explore
T1087

Account Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)). Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and ...

ESXiIaaSIdentity ProviderLinuxmacOSOffice SuiteSaaSWindows
50
Detections
5
Sources
3
Threat Actors

BY SOURCE

23elastic15sigma6kql4splunk_escu2crowdstrike_cql

PROCEDURES (35)

General Monitoring5 detections

Auto-extracted: 5 detections for general monitoring

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Event Log2 detections

Auto-extracted: 2 detections for event log

Service2 detections

Auto-extracted: 2 detections for service

Azure2 detections

Auto-extracted: 2 detections for azure

Privilege2 detections

Auto-extracted: 2 detections for privilege

Cloud2 detections

Auto-extracted: 2 detections for cloud

Powershell2 detections

Auto-extracted: 2 detections for powershell

Unusual1 detections

Auto-extracted: 1 detections for unusual

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Privilege1 detections

Auto-extracted: 1 detections for privilege

Lateral1 detections

Auto-extracted: 1 detections for lateral

Dump1 detections

Auto-extracted: 1 detections for dump

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lateral1 detections

Auto-extracted: 1 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Aws1 detections

Auto-extracted: 1 detections for aws

Aws1 detections

Auto-extracted: 1 detections for aws

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Aws1 detections

Auto-extracted: 1 detections for aws

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Powershell1 detections

Auto-extracted: 1 detections for powershell

Api1 detections

Auto-extracted: 1 detections for api

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dump1 detections

Auto-extracted: 1 detections for dump

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (3)

Aquatic PandaFIN13Scattered Spider

DETECTIONS (50)

Account Discovery Command via SYSTEM Account
elasticlow
Active Directory Discovery using AdExplorer
elasticlow
AdFind Command Activity
elasticlow
Anomalous Amount of LDAP traffic
kql
AWS Account Discovery By Rare User
elasticlow
AWS Discovery API Calls via CLI from a Single Resource
elasticlow
AWS EC2 Role GetCallerIdentity from New Source AS Organization
elasticmedium
AWS IAM Principal Enumeration via UpdateAssumeRolePolicy
elasticmedium
AWS STS GetCallerIdentity API Called for the First Time
elasticmedium
AzureHound Detection
kql
AzureHound Detection
kql
Chopper Webshell Process Pattern
sigmahigh
Detect net(1).exe Discovery Activities
kql
Direct Interactive Kubernetes API Request by Unusual Utilities
elasticlow
Entra ID Sign-in BloodHound Suite User-Agent Detected
elasticmedium
Entra ID Sign-in TeamFiltration User-Agent Detected
elasticmedium
Enumerate Users Local Group Using Telegram
splunk_escu
Enumeration Command Spawned via WMIPrvSE
elasticlow
Enumeration of Administrator Accounts
elasticlow
Enumeration of Users or Groups via Built-in Commands
elasticlow
HackTool - SOAPHound Execution
sigmahigh
HackTool - winPEAS Execution
sigmahigh
Hacktool Ruler
sigmahigh
LDAP Enumeration
crowdstrike_cql
List net(1).exe discovery activities
kql
Malicious PowerShell Commandlets - PoshModule
sigmahigh
Malicious PowerShell Commandlets - ProcessCreation
sigmahigh
Malicious PowerShell Commandlets - ScriptBlock
sigmahigh
Microsoft Graph Multi-Category Reconnaissance Burst
elasticmedium
Mounting Hidden or WebDav Remote Shares
elasticmedium
Network Reconnaissance Activity
sigmahigh
Operation download all users in Azure Active directory performed
kql
Potential Enumeration via Active Directory Web Service
elasticmedium
Potential Meterpreter Reverse Shell
elastichigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
sigmamedium
PowerShell Suspicious Discovery Related Windows API Functions
elasticlow
PUA - Seatbelt Execution
sigmahigh
SAMR Burst (BloodHound/PowerView)
crowdstrike_cql
SharpHound Recon Account Discovery
sigmahigh
Suspicious Access to LDAP Attributes
elasticlow
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious Use of PsLogList
sigmamedium
Uncommon Connection to Active Directory Web Services
sigmamedium
Unusual User Privilege Enumeration via id
elasticmedium
Webshell Detection With Command Line Keywords
sigmahigh
Webshell Hacking Activity Patterns
sigmahigh
Windows Account Discovery for Sam Account Name
splunk_escu
Windows Account Discovery With NetUser PreauthNotRequire
splunk_escu
Windows Special Privileged Logon On Multiple Hosts
splunk_escu