MITRE ATT&CK Technique
Discovery T1087.001
Description

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS, the <code>dscl . list /Users</code> command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)

Supported Platforms
ESXi Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-02-21T21:07:55.393Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may attempt to get a listing of local system '
                'accounts. This information can help adversaries determine '
                'which local accounts exist on a system to aid in follow-on '
                'behavior.\n'
                '\n'
                'Commands such as <code>net user</code> and <code>net '
                'localgroup</code> of the '
                '[Net](https://attack.mitre.org/software/S0039) utility and '
                '<code>id</code> and <code>groups</code> on macOS and Linux '
                'can list local users and groups.(Citation: Mandiant '
                'APT1)(Citation: id man page)(Citation: groups man page) On '
                'Linux, local users can also be enumerated through the use of '
                'the <code>/etc/passwd</code> file. On macOS, the <code>dscl . '
                'list /Users</code> command can be used to enumerate local '
                'accounts. On ESXi servers, the `esxcli system account list` '
                'command can list local user accounts.(Citation: Crowdstrike '
                'Hypervisor Jackpotting Pt 2 2021)',
 'external_references': [{'external_id': 'T1087.001',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1087/001'},
                         {'description': 'MacKenzie, D. and Robbins, A. '
                                         '(n.d.). id(1) - Linux man page. '
                                         'Retrieved January 11, 2024.',
                          'source_name': 'id man page',
                          'url': 'https://linux.die.net/man/1/id'},
                         {'description': 'MacKenzie, D. and Youngman, J. '
                                         '(n.d.). groups(1) - Linux man page. '
                                         'Retrieved January 11, 2024.',
                          'source_name': 'groups man page',
                          'url': 'https://linux.die.net/man/1/groups'},
                         {'description': 'Mandiant. (n.d.). APT1 Exposing One '
                                         'of China’s Cyber Espionage Units. '
                                         'Retrieved July 18, 2016.',
                          'source_name': 'Mandiant APT1',
                          'url': 'https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf'},
                         {'description': 'Michael Dawson. (2021, August 30). '
                                         'Hypervisor Jackpotting, Part 2: '
                                         'eCrime Actors Increase Targeting of '
                                         'ESXi Servers with Ransomware. '
                                         'Retrieved March 26, 2025.',
                          'source_name': 'Crowdstrike Hypervisor Jackpotting '
                                         'Pt 2 2021',
                          'url': 'https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/'},
                         {'description': 'Stepanic, D.. (2020, January 13). '
                                         'Embracing offensive tooling: '
                                         'Building detections against Koadic '
                                         'using EQL. Retrieved November 17, '
                                         '2024.',
                          'source_name': 'Elastic - Koadiac Detection with EQL',
                          'url': 'https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql'}],
 'id': 'attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'discovery'}],
 'modified': '2025-10-24T17:48:32.515Z',
 'name': 'Local Account',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Daniel Stepanic, Elastic',
                          'Miriam Wiesner, @miriamxyra, Microsoft Security'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['ESXi', 'Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.5'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (15)
royal
High
Medusa Group
High
Ke3chang
High
OilRig
High
Fox Kitten
High
View All 15 Actors
Back to TTPs
Dashboard About