- Home
- Techniques
- Enterprise
- Account Discovery
Account Discovery
Sub-techniques (4)
Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Procedure Examples
Name | Description |
---|---|
ShimRatReporter |
ShimRatReporter listed all non-privileged and privileged accounts available on the machine.[1] |
UNC2452 |
UNC2452 obtained a list of users and their roles from an Exchange server using |
Mitigations
Mitigation | Description |
---|---|
Operating System Configuration |
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located |
Detection
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.