T1087 — Account Discovery

Technique

T1087

Tactics

Discovery

MISP citations

0

KEV CVEs mapped

6

Community rules

16

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1087

MITRE description

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)). Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment. For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2024-13161
• CVE-2024-13160
• CVE-2024-13159
• CVE-2023-27532
• CVE-2022-41082
• CVE-2021-44515

Detection coverage

SigmaHQ community rules

• Potential Pikabot Discovery Activity (emerging-threats)
• SharpHound Recon Account Discovery (core)
• Hacktool Ruler (core)
• Uncommon Connection to Active Directory Web Services (core)
• Malicious PowerShell Commandlets - PoshModule (core)
• Malicious PowerShell Commandlets - ScriptBlock (core)
• HackTool - SOAPHound Execution (core)
• HackTool - winPEAS Execution (core)
• Network Reconnaissance Activity (core)
• Malicious PowerShell Commandlets - ProcessCreation (core)
• PUA - Seatbelt Execution (core)
• Potentially Suspicious EventLog Recon Activity Using Log Query Utilities (core)
• Suspicious Use of PsLogList (core)
• Chopper Webshell Process Pattern (core)
• Webshell Hacking Activity Patterns (core)
• Webshell Detection With Command Line Keywords (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.