T1087.001: T1087.001

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 21/02/2020 22:07 · Modified 21/04/2026 11:28

Essential information

MITRE technique ID: T1087.001
Confidence: 100/100
Revoked: No
Published: 21/02/2020 22:07
Modified: 21/04/2026 11:28
Author / Source: The MITRE Corporation

Aliases

Local Account

Platforms

windows macos linux ESXi

Description

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as `net user` and `net localgroup` of the [Net](https://attack.mitre.org/software/S0039) utility and `id` and `groups` on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the `/etc/passwd` file. On macOS, the `dscl . list /Users` command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)

Kill chain phases

Kill chain	Phase
mitre-attack	discovery

Marking (TLP)

External references

Crowdstrike Hypervisor Jackpotting Pt 2 2021
Elastic - Koadiac Detection with EQL
Mandiant APT1
groups man page
id man page
mitre-attack (T1087.001)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (34)

Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Moses Staff uses DEV-0500Marigold Sandstorm

The MITRE Corporation Confidence 100

[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FishMonger uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA4557/FIN6 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT42 uses

The MITRE Corporation Confidence 100

[APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted…

First seen 01/01/1970 · Last seen 16/11/5138 ·
admin@338 uses

The MITRE Corporation Confidence 100

[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
PhantomRaven uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Fox Kitten uses UNC757Parisite

The MITRE Corporation Confidence 100

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chimera uses

The MITRE Corporation Confidence 100

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

13–24 of 34

Pikabot uses

Family
BackConnect uses

Family
GOVERSHELL uses

Family
W32.Stuxnet uses

Family
ShadowPad - S0596 uses

Family
SquidDoor uses

Family
ToneShell uses

Family
POWERSTATS uses
Agamemnon downloader uses

Family
ChromElevator uses

Family
crypto-javascri uses

Family
BlueHammer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 69

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst … related

AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
OptinMonster supply chain attack hits 1.2 million sites related

AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
Inside a Tor Backed Supply Chain Worm related

AlienVault Confidence 100 19 MITREs 2 Malwares 1 IOC 1 Observable 1 APT
Iran-Linked Hackers Breached Korean Electronics Maker in Global … related

AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
UAT-8302 and its box full of malware related

3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT
PhantomRaven Wave 5: New Undocumented NPM Supply Chain … related

AlienVault Confidence 100 1 CVE 20 MITREs 17 IOCs 17 Observables 1 APT
Tall Tales: How Chinese Actors Use Impersonation and … related

AlienVault Confidence 100 21 MITREs 2 Malwares 132 IOCs 132 Observables
Malicious Artifacts Found in Official KICS Docker Repository … related

AlienVault Confidence 100 19 MITREs 2 Malwares 14 IOCs 14 Observables 1 APT
Nightmare-Eclipse Tooling Seen in Real-World Intrusion related

AlienVault Confidence 100 1 CVE 18 MITREs 4 Malwares 3 IOCs 3 Observables
Cat's Got Your Files: Lynx Ransomware related

17 MITREs 7 Observables
Hide Your RDP: Password Spray Leads to RansomHub … related

25 MITREs 2 Malwares 9 Observables 1 APT

← Previous

Page / 2

1–12 of 21

Vulnerabilities (CVE) (12)

CVE-2026-33825 KEV targets

7.8 High

Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.

Attack vector: LOCAL
Complexity: LOW
Published: 14/04/2026
Modified: 29/04/2026

CWE-1220 Received

CVE-2026-20127 KEV targets

10.0 Critical

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, …

Attack vector: NETWORK
Complexity: LOW
Published: 25/02/2026
Modified: 18/06/2026

CWE-287 Analyzed

CVE-2025-0994 KEV targets

8.8 High

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This …

Attack vector: Network
Published: 07/02/2025
Modified: 21/12/2025

Analyzed

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2023-27532 KEV targets

7.5 High

Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …

Attack vector: Network
Published: 22/08/2023
Modified: 27/05/2026

CVE-2019-0797 KEV targets

Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2019-0859 KEV targets

Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2026-20245 KEV targets

7.8 High

A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary …

Attack vector: LOCAL
Complexity: LOW
Published: 05/06/2026
Modified: 25/06/2026

CWE-116 Awaiting Analysis

CVE-2025-20362 KEV targets

6.5 Medium

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2026-31431 KEV targets

7.8 High

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0001 (P0.6%)
Published: 22/04/2026
Modified: 23/05/2026

CWE-669 Awaiting Analysis

CVE-2026-20182 KEV targets

10.0 Critical

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was …

Attack vector: NETWORK
Complexity: LOW
Published: 14/05/2026
Modified: 18/06/2026

CWE-287 Analyzed

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

Attack patterns (MITRE) (1)

T1087 subtechnique-of

Account Discovery MITRE

Campaign (2)

Operation CuckooBees uses
Operation Digital Eye uses

Tool (4)

Pupy uses

The MITRE Corporation Confidence 100

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…
Net uses

The MITRE Corporation Confidence 100

The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
BloodHound uses

The MITRE Corporation Confidence 100

[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
PowerSploit uses

The MITRE Corporation Confidence 100

[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code…

Course Of Action (1)

Operating System Configuration mitigates

Contact About Legal notice Privacy policy Terms of use