1. Home
  2. Techniques
  3. Enterprise
  4. Account Discovery
  5. Local Account

Account Discovery: Local Account

ID Name
T1087.001 Local Account
T1087.002 Domain Account
T1087.003 Email Account
T1087.004 Cloud Account

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as net user and net localgroup of the Net utility and id and groups on macOS and Linux can list local users and groups.[1][2][3] On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS, the dscl . list /Users command can be used to enumerate local accounts. On ESXi servers, the esxcli system account list command can list local user accounts.[4]

ID: T1087.001
Sub-technique of:  T1087
Tactic: Discovery
Platforms: ESXi, Linux, Windows, macOS
Contributors: Daniel Stepanic, Elastic; Miriam Wiesner, @miriamxyra, Microsoft Security
Version: 1.5
Created: 21 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0018 admin@338

admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download[5]
S0331 Agent Tesla

Agent Tesla can collect account information from the victim’s machine.[6]
G0006 APT1

APT1 used the commands net localgroup,net user, and net group to find accounts on the system.[1]
G0022 APT3

APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.[7]
G0050 APT32

APT32 enumerated administrative users using the commands net localgroup administrators.[8]
G0096 APT41

APT41 used built-in net commands to enumerate local administrator groups.[9]
G1044 APT42

APT42 has used the PowerShell-based POWERPOST script to collect local account names from the victim machine.[10]

S0239 Bankshot

Bankshot gathers domain and account names/information through process monitoring.[11]
S0534 Bazar

Bazar can identify administrator accounts on an infected host.[12]
S0570 BitPaymer

BitPaymer can enumerate the sessions for each user logged onto the infected host.[13]
S0521 BloodHound

BloodHound can identify users with local administrator rights.[14]
G0114 Chimera

Chimera has used net user for account discovery.[15]
S0244 Comnie

Comnie uses the net user command.[16]
S0038 Duqu

The discovery modules used with Duqu can collect information on accounts and permissions.[17]
S1159 DUSTTRAP

DUSTTRAP can enumerate local user accounts.[18]
S0081 Elise

Elise executes net user after initial communication is made to the remote server.[19]
S0363 Empire

Empire can acquire local and domain user account information.[20]
S0091 Epic

Epic gathers a list of all user accounts, privilege classes, and time of last logon.[21]
G0117 Fox Kitten

Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.[22]
S0049 GeminiDuke

GeminiDuke collects information on local user accounts from the victim.[23]
S0537 HyperStack

HyperStack can enumerate all account names on a remote share.[24]
S1245 InvisibleFerret

InvisibleFerret has queried the victim device using Python scripts to obtain the User and Hostname.[25][26]
S0260 InvisiMole

InvisiMole has a command to list account information on the victim’s machine.[27]
S0265 Kazuar

Kazuar gathers information on local groups and members on the victim’s machine.[28]
G0004 Ke3chang

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[29]
S0236 Kwampirs

Kwampirs collects a list of accounts with the command net users.[30]
G0030 Lotus Blossom

Lotus Blossom has used commands such as net to profile local system users.[31]
G1051 Medusa Group

Medusa Group has leveraged net user for account discovery.[32]
S1146 MgBot

MgBot includes modules for identifying local administrator accounts on victim systems.[33]
S1015 Milan

Milan has run C:\Windows\system32\cmd.exe /c cmd /c dir c:\users\ /s 2>&1 to discover local accounts.[34]
S0084 Mis-Type

Mis-Type may create a file containing the results of the command cmd.exe /c net user {Username}.[35]
G1009 Moses Staff

Moses Staff has collected the administrator username from a compromised host.[36]
S0233 MURKYTOP

MURKYTOP has the capability to retrieve information about users on remote hosts.[37]
S0039 Net

Commands under net user can be used in Net to gather information about and manipulate user accounts.[38]
G0049 OilRig

OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim.[39]
C0012 Operation CuckooBees

During Operation CuckooBees, the threat actors used the net user command to gather account information.[40]
S0165 OSInfo

OSInfo enumerates local and domain users[7]
S0598 P.A.S. Webshell

P.A.S. Webshell can display the /etc/passwd file on a compromised host.[41]
S1145 Pikabot

Pikabot will retrieve the name of the user associated with the thread under which the malware is executing.[42]
S0453 Pony

Pony has used the NetUserEnum function to enumerate local accounts.[43]

G0033 Poseidon Group

Poseidon Group searches for administrator accounts on both the local victim machine and the network.[44]
S0378 PoshC2

PoshC2 can enumerate local and domain user account information.[45]
S0194 PowerSploit

PowerSploit's Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.[46][47]
S0223 POWERSTATS

POWERSTATS can retrieve usernames from compromised hosts.[48]
S0196 PUNCHBUGGY

PUNCHBUGGY can gather user names.[49]
S0192 Pupy

Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.[50]
S1242 Qilin

Qilin can list all local users found on a targeted system.[51]
S1148 Raccoon Stealer

Raccoon Stealer checks the privileges of running processes to determine if the running user is equivalent to NT Authority\System.[52]
S0241 RATANKBA

RATANKBA uses the net user command.[53]
G1039 RedCurl

RedCurl has collected information about local accounts.[54][55]
S1240 RedLine Stealer

RedLine Stealer has collected account information from the victim’s machine.[56][57]
S0125 Remsec

Remsec can obtain a list of users.[58]
S0085 S-Type

S-Type has run the command net user on a victim.[35]
S0063 SHOTPUT

SHOTPUT has a command to retrieve information about connected users.[59]
S0649 SMOKEDHAM

SMOKEDHAM has used net.exe user and net.exe users to enumerate local accounts on a compromised host.[60]
S0516 SoreFang

SoreFang can collect usernames from the local system via net.exe user.[61]
S0603 Stuxnet

Stuxnet enumerates user accounts of the local host.[62]
G0027 Threat Group-3390

Threat Group-3390 has used net user to conduct internal discovery of systems.[63]
S0266 TrickBot

TrickBot collects the users of the system.[64][65]
G0010 Turla

Turla has used net user to enumerate local accounts on the system.[66][67]
S0452 USBferry

USBferry can use net user to gather information about local accounts.[68]

S0476 Valak

Valak has the ability to enumerate local admin accounts.[69]
G1017 Volt Typhoon

Volt Typhoon has executed net user and quser to enumerate local account information.[70]

Mitigations

ID Mitigation Description
M1028 Operating System Configuration

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.[71]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0303 Local Account Enumeration Across Host Platforms AN0846

Adversary enumeration of local user accounts using Net.exe, WMI, or PowerShell.
AN0847

Enumeration of local users or groups via file access (/etc/passwd) or commands like id, groups.
AN0848

Enumeration of macOS local users using dscl, id, dscacheutil, or /etc/passwd access.
AN0849

Enumeration of local ESXi accounts using esxcli or vSphere API from unauthorized sessions.

References

  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  2. MacKenzie, D. and Robbins, A. (n.d.). id(1) - Linux man page. Retrieved January 11, 2024.
  3. MacKenzie, D. and Youngman, J. (n.d.). groups(1) - Linux man page. Retrieved January 11, 2024.
  4. Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
  5. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  6. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  7. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  8. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  9. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  10. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
  11. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  12. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  13. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  14. Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
  15. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  16. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  17. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  18. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  19. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  20. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  21. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  22. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  23. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  24. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  25. Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
  26. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
  27. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  28. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  29. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  30. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  31. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  32. Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025.
  33. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  34. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  35. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  36. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  1. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  2. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  3. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  4. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  5. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  6. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  7. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  8. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  9. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  10. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  11. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  12. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  13. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  14. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  15. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025.
  16. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  17. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  18. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  19. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  20. Proofpoint Threat Insight Team, Jeremy H, Axel F. (2020, March 16). New Redline Password Stealer Malware. Retrieved September 17, 2025.
  21. Splunk Threat Research Team. (2023, June 1). Do Not Cross The 'RedLine' Stealer: Detections and Analysis. Retrieved September 17, 2025.
  22. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  23. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  24. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  25. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  26. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  27. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  28. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  29. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  30. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  31. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  32. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  33. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  34. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  35. UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.