Esc
Account Discovery - T1087

(ATT&CK® Technique)
Subtechniques

Definition

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1087["Account Discovery"] --> |enumerates| CloudUserAccount["Cloud User Account"]; class T1087 OffensiveTechniqueNode;
        class CloudUserAccount ArtifactNode; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount";
        click T1087 href "/offensive-technique/attack/T1087/"; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount"; T1087["Account Discovery"] --> |enumerates| DomainUserAccount["Domain User Account"]; class T1087 OffensiveTechniqueNode;
        class DomainUserAccount ArtifactNode; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";
        click T1087 href "/offensive-technique/attack/T1087/"; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount"; T1087["Account Discovery"] --> |enumerates| LocalUserAccount["Local User Account"]; class T1087 OffensiveTechniqueNode;
        class LocalUserAccount ArtifactNode; click LocalUserAccount href "/dao/artifact/d3f:LocalUserAccount";
        click T1087 href "/offensive-technique/attack/T1087/"; click LocalUserAccount href "/dao/artifact/d3f:LocalUserAccount";                                       RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | CloudUserAccount["Cloud User Account"];

          RestoreUserAccountAccess["Restore User Account Access"] -.->
            | may-restore | T1087["Account Discovery"] ;
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | DomainUserAccount["Domain User Account"];

          
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | LocalUserAccount["Local User Account"];

          
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class LocalUserAccount ArtifactNode;
          click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; DomainAccountMonitoring["Domain Account Monitoring"] -->
          | monitors | DomainUserAccount["Domain User Account"];

          DomainAccountMonitoring["Domain Account Monitoring"] -.->
            | may-detect | T1087["Account Discovery"] ;
          class DomainAccountMonitoring DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; LocalAccountMonitoring["Local Account Monitoring"] -->
          | analyzes | LocalUserAccount["Local User Account"];

          LocalAccountMonitoring["Local Account Monitoring"] -.->
            | may-detect | T1087["Account Discovery"] ;
          class LocalAccountMonitoring DefensiveTechniqueNode;
          class LocalUserAccount ArtifactNode;
          click LocalAccountMonitoring href "/technique/d3f:LocalAccountMonitoring";                                                                  UserAccountPermissions["User Account Permissions"] -->
          | restricts | LocalUserAccount["Local User Account"];

          UserAccountPermissions["User Account Permissions"] -.->
            | may-isolate | T1087["Account Discovery"] ;
          class UserAccountPermissions DefensiveTechniqueNode;
          class LocalUserAccount ArtifactNode;
          click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
          | restricts | CloudUserAccount["Cloud User Account"];

          
          class UserAccountPermissions DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
          | restricts | DomainUserAccount["Domain User Account"];

          
          class UserAccountPermissions DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; AccountLocking["Account Locking"] -->
          | disables | LocalUserAccount["Local User Account"];

          AccountLocking["Account Locking"] -.->
            | may-evict | T1087["Account Discovery"] ;
          class AccountLocking DefensiveTechniqueNode;
          class LocalUserAccount ArtifactNode;
          click AccountLocking href "/technique/d3f:AccountLocking";                AccountLocking["Account Locking"] -->
          | disables | DomainUserAccount["Domain User Account"];

          
          class AccountLocking DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click AccountLocking href "/technique/d3f:AccountLocking";                                       AccountLocking["Account Locking"] -->
          | disables | CloudUserAccount["Cloud User Account"];

          
          class AccountLocking DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click AccountLocking href "/technique/d3f:AccountLocking";                          AgentAuthentication["Agent Authentication"] -->
          | strengthens | CloudUserAccount["Cloud User Account"];

          AgentAuthentication["Agent Authentication"] -.->
            | may-harden | T1087["Account Discovery"] ;
          class AgentAuthentication DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click AgentAuthentication href "/technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] -->
          | strengthens | DomainUserAccount["Domain User Account"];

          
          class AgentAuthentication DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click AgentAuthentication href "/technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] -->
          | strengthens | LocalUserAccount["Local User Account"];

          
          class AgentAuthentication DefensiveTechniqueNode;
          class LocalUserAccount ArtifactNode;
          click AgentAuthentication href "/technique/d3f:AgentAuthentication"; UnlockAccount["Unlock Account"] -->
          | restores | LocalUserAccount["Local User Account"];

          UnlockAccount["Unlock Account"] -.->
            | may-restore | T1087["Account Discovery"] ;
          class UnlockAccount DefensiveTechniqueNode;
          class LocalUserAccount ArtifactNode;
          click UnlockAccount href "/technique/d3f:UnlockAccount";        UnlockAccount["Unlock Account"] -->
          | restores | DomainUserAccount["Domain User Account"];

          
          class UnlockAccount DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click UnlockAccount href "/technique/d3f:UnlockAccount";                                                                                                 UnlockAccount["Unlock Account"] -->
          | restores | CloudUserAccount["Cloud User Account"];

          
          class UnlockAccount DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click UnlockAccount href "/technique/d3f:UnlockAccount";
json