Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.[1][2] On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
| ID | Name | Description |
|---|---|---|
| C0062 | Anthropic AI-orchestrated Campaign |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to query internal database user account tables to enumerate accounts and identify high-privilege accounts within compromised environments.[3] |
| G0143 | Aquatic Panda |
Aquatic Panda used the |
| G1016 | FIN13 |
FIN13 has enumerated all users and their roles from a victim's main treasury system.[5] |
| S1229 | Havoc |
Havoc can identify privileged user accounts on infected systems.[6] |
| G1015 | Scattered Spider |
Scattered Spider has identified vSphere administrator accounts.[7] |
| S0445 | ShimRatReporter |
ShimRatReporter listed all non-privileged and privileged accounts available on the machine.[8] |
| C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 obtained a list of users and their roles from an Exchange server using |
| S1239 | TONESHELL |
TONESHELL included functionality to retrieve a list of user accounts.[10] |
| S1065 | Woody RAT |
Woody RAT can identify administrator accounts on an infected machine.[11] |
| S0658 | XCSSET |
XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data.[12] |
| ID | Mitigation | Description |
|---|---|---|
| M1028 | Operating System Configuration |
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located |
| M1018 | User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0587 | Enumeration of User or Account Information Across Platforms | AN1612 |
Detection of processes performing local or domain account enumeration by invoking account directory queries or security APIs followed by structured output of account lists. The defender observes command execution or API invocation patterns that retrieve account information and produce enumeration artifacts shortly afterward. |
| AN1613 |
Enumeration of users and groups through suspicious shell commands or unauthorized access to /etc/passwd or /etc/shadow. |
||
| AN1614 |
Detection of account enumeration through directory service queries or system utilities accessing account metadata stores, followed by structured enumeration output. |
||
| AN1615 |
Detection of enumeration of identity entities through cloud provider APIs where principals retrieve account metadata such as IAM users or roles in rapid succession. |
||
| AN1616 |
Detection of identity directory enumeration through API calls or administrative queries retrieving multiple account objects within a short interval. |
||
| AN1617 |
Detection of enumeration activity when system processes query ESXi host account configuration or management APIs to retrieve user account listings. |
||
| AN1618 |
Account enumeration via bulk access to user directory features or hidden APIs. |
||
| AN1619 |
Account discovery via VBA macros, COM objects, or embedded scripting. |