EXPLORE
Sign In
← Back to Explore
T1087

Account Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)). Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and ...

ESXiIaaSIdentity ProviderLinuxmacOSOffice SuiteSaaSWindows
40
Detections
3
Sources
3
Threat Actors

BY SOURCE

21elastic15sigma4splunk_escu

PROCEDURES (27)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Remote2 detections

Auto-extracted: 2 detections for remote

Lateral2 detections

Auto-extracted: 2 detections for lateral

Service2 detections

Auto-extracted: 2 detections for service

Privilege2 detections

Auto-extracted: 2 detections for privilege

Powershell2 detections

Auto-extracted: 2 detections for powershell

Cloud2 detections

Auto-extracted: 2 detections for cloud

Event Log2 detections

Auto-extracted: 2 detections for event log

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Dump1 detections

Auto-extracted: 1 detections for dump

Powershell1 detections

Auto-extracted: 1 detections for powershell

Aws1 detections

Auto-extracted: 1 detections for aws

Aws1 detections

Auto-extracted: 1 detections for aws

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

Azure1 detections

Auto-extracted: 1 detections for azure

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Powershell1 detections

Auto-extracted: 1 detections for powershell

THREAT ACTORS (3)

Aquatic PandaFIN13Scattered Spider

DETECTIONS (40)

Account Discovery Command via SYSTEM Account
elasticlow
Active Directory Discovery using AdExplorer
elasticlow
AdFind Command Activity
elasticlow
AWS Account Discovery By Rare User
elasticlow
AWS Discovery API Calls via CLI from a Single Resource
elasticlow
AWS IAM Principal Enumeration via UpdateAssumeRolePolicy
elasticmedium
AWS STS GetCallerIdentity API Called for the First Time
elasticmedium
Chopper Webshell Process Pattern
sigmahigh
Direct Interactive Kubernetes API Request by Unusual Utilities
elasticlow
Entra ID Sign-in BloodHound Suite User-Agent Detected
elasticmedium
Entra ID Sign-in TeamFiltration User-Agent Detected
elasticmedium
Enumerate Users Local Group Using Telegram
splunk_escu
Enumeration Command Spawned via WMIPrvSE
elasticlow
Enumeration of Administrator Accounts
elasticlow
Enumeration of Users or Groups via Built-in Commands
elasticlow
HackTool - SOAPHound Execution
sigmahigh
HackTool - winPEAS Execution
sigmahigh
Hacktool Ruler
sigmahigh
Malicious PowerShell Commandlets - PoshModule
sigmahigh
Malicious PowerShell Commandlets - ProcessCreation
sigmahigh
Malicious PowerShell Commandlets - ScriptBlock
sigmahigh
Mounting Hidden or WebDav Remote Shares
elasticmedium
Network Reconnaissance Activity
sigmahigh
Potential Enumeration via Active Directory Web Service
elasticmedium
Potential Meterpreter Reverse Shell
elastichigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
sigmamedium
PowerShell Suspicious Discovery Related Windows API Functions
elasticlow
PUA - Seatbelt Execution
sigmahigh
SharpHound Recon Account Discovery
sigmahigh
Suspicious Access to LDAP Attributes
elasticlow
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious Use of PsLogList
sigmamedium
Uncommon Connection to Active Directory Web Services
sigmamedium
Unusual User Privilege Enumeration via id
elasticmedium
Webshell Detection With Command Line Keywords
sigmahigh
Webshell Hacking Activity Patterns
sigmahigh
Windows Account Discovery for Sam Account Name
splunk_escu
Windows Account Discovery With NetUser PreauthNotRequire
splunk_escu
Windows Special Privileged Logon On Multiple Hosts
splunk_escu