Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
|M1028||Operating System Configuration||
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located
|ID||Data Source||Data Component||Detects|
Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery.
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor access to file resources that contain local accounts and groups information such as
If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.
Monitor for processes that can be used to enumerate user accounts and groups such as