T1087.001: T1087.001

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 21/02/2020 22:07 · Modified 21/04/2026 11:28

Essential information

MITRE technique ID: T1087.001
Confidence: 100/100
Revoked: No
Published: 21/02/2020 22:07
Modified: 21/04/2026 11:28
Author / Source: The MITRE Corporation

Aliases

Local Account

Platforms

windows macos linux ESXi

Description

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as `net user` and `net localgroup` of the [Net](https://attack.mitre.org/software/S0039) utility and `id` and `groups` on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the `/etc/passwd` file. On macOS, the `dscl . list /Users` command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)

Kill chain phases

Kill chain	Phase
mitre-attack	discovery

Marking (TLP)

External references

Crowdstrike Hypervisor Jackpotting Pt 2 2021
Elastic - Koadiac Detection with EQL
Mandiant APT1
groups man page
id man page
mitre-attack (T1087.001)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (34)

APT1 related Comment CrewComment Group

The MITRE Corporation Confidence 100

[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gootloader related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ke3chang related APT15Mirage

The MITRE Corporation Confidence 100

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TeamPCP related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Threat Group-3390 related Earth SmilodonTG-3390

The MITRE Corporation Confidence 100

[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Thrip related DRAGONFISHSpring Dragon

The MITRE Corporation Confidence 100

[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Trigona related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8302 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
VerdantBamboo related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
play related

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

25–34 of 34

Pikabot uses

Family
BackConnect uses

Family
GOVERSHELL uses

Family
W32.Stuxnet uses

Family
ShadowPad - S0596 uses

Family
SquidDoor uses

Family
ToneShell uses

Family
POWERSTATS uses
Agamemnon downloader uses

Family
ChromElevator uses

Family
crypto-javascri uses

Family
BlueHammer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 69

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst … related

AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
OptinMonster supply chain attack hits 1.2 million sites related

AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
Inside a Tor Backed Supply Chain Worm related

AlienVault Confidence 100 19 MITREs 2 Malwares 1 IOC 1 Observable 1 APT
Iran-Linked Hackers Breached Korean Electronics Maker in Global … related

AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
UAT-8302 and its box full of malware related

3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT
PhantomRaven Wave 5: New Undocumented NPM Supply Chain … related

AlienVault Confidence 100 1 CVE 20 MITREs 17 IOCs 17 Observables 1 APT
Tall Tales: How Chinese Actors Use Impersonation and … related

AlienVault Confidence 100 21 MITREs 2 Malwares 132 IOCs 132 Observables
Malicious Artifacts Found in Official KICS Docker Repository … related

AlienVault Confidence 100 19 MITREs 2 Malwares 14 IOCs 14 Observables 1 APT
Nightmare-Eclipse Tooling Seen in Real-World Intrusion related

AlienVault Confidence 100 1 CVE 18 MITREs 4 Malwares 3 IOCs 3 Observables
Cat's Got Your Files: Lynx Ransomware related

17 MITREs 7 Observables
Hide Your RDP: Password Spray Leads to RansomHub … related

25 MITREs 2 Malwares 9 Observables 1 APT

← Previous

Page / 2

1–12 of 21

Vulnerabilities (CVE) (12)

CVE-2026-33825 KEV targets

7.8 High

Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.

Attack vector: LOCAL
Complexity: LOW
Published: 14/04/2026
Modified: 29/04/2026

CWE-1220 Received

CVE-2026-20127 KEV targets

10.0 Critical

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, …

Attack vector: NETWORK
Complexity: LOW
Published: 25/02/2026
Modified: 18/06/2026

CWE-287 Analyzed

CVE-2025-0994 KEV targets

8.8 High

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This …

Attack vector: Network
Published: 07/02/2025
Modified: 21/12/2025

Analyzed

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2023-27532 KEV targets

7.5 High

Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …

Attack vector: Network
Published: 22/08/2023
Modified: 27/05/2026

CVE-2019-0797 KEV targets

Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2019-0859 KEV targets

Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2026-20245 KEV targets

7.8 High

A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary …

Attack vector: LOCAL
Complexity: LOW
Published: 05/06/2026
Modified: 25/06/2026

CWE-116 Awaiting Analysis

CVE-2025-20362 KEV targets

6.5 Medium

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2026-31431 KEV targets

7.8 High

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0001 (P0.6%)
Published: 22/04/2026
Modified: 23/05/2026

CWE-669 Awaiting Analysis

CVE-2026-20182 KEV targets

10.0 Critical

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was …

Attack vector: NETWORK
Complexity: LOW
Published: 14/05/2026
Modified: 18/06/2026

CWE-287 Analyzed

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

Attack patterns (MITRE) (1)

T1087 subtechnique-of

Account Discovery MITRE

Campaign (2)

Operation CuckooBees uses
Operation Digital Eye uses

Tool (4)

Pupy uses

The MITRE Corporation Confidence 100

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…
Net uses

The MITRE Corporation Confidence 100

The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
BloodHound uses

The MITRE Corporation Confidence 100

[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
PowerSploit uses

The MITRE Corporation Confidence 100

[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code…

Course Of Action (1)

Operating System Configuration mitigates

Contact About Legal notice Privacy policy Terms of use