# T1087 Account Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

Monitor for processes that can be used to enumerate user accounts, such as <code>net.exe</code> and <code>net1.exe</code>, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Windows

  * Azure AD

  * Office 365

  * SaaS

  * IaaS

  * Linux

  * macOS

  * Google Workspace

### Adversary Required Permissions:

  * User

### Data Sources:

  * **User Account:** User Account Metadata

  * **File:** File Access

  * **Command:** Command Execution

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) obtained a list of users and their roles from an Exchange server using <code>Get-ManagementRoleAssignment</code>.(Citation: Volexity SolarWinds)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) obtained a list of users and their roles from an Exchange server using <code>Get-ManagementRoleAssignment</code>.(Citation: Volexity SolarWinds)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1087)

  * [Capec](https://capec.mitre.org/data/definitions/575.html)

  * [Elastic - Koadiac Detection With Eql](https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql), Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### UNC2452 
- obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.

## Detection Blindspots

- Information Here

## Analytical References
  - https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
  - https://eqllib.readthedocs.io/en/latest/analytics/56fdf859-b2a7-4009-88e0-69fec4c3deef.html
  - https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_admin_recon.toml
  - https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_net_command_system_account.toml
  - https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_users_domain_built_in_commands.toml
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

