View on MITRE ATT&CK

T1087.001 - Local Account

Sub-technique
Tattiche:
Discovery
Piattaforme:
ESXi Linux macOS Windows
Rilevamento:
Not specified
Description:
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS, the <code>dscl . list /Users</code> command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
Usato da Attori (18)
APT1
Nation-state
APT3
Nation-state
Turla
Nation-state
Poseidon Group
Unknown
OilRig
Nation-state
APT32
Nation-state
APT41
Nation-state
Fox Kitten
Unknown
APT42
Nation-state
Volt Typhoon
Unknown
Medusa Group
Unknown
admin@338
Unknown
Ke3chang
Unknown
Chimera
Unknown
Moses Staff
Unknown
RedCurl
Unknown
Threat Group-3390
Unknown
Lotus Blossom
Unknown
Malware (20)
TrickBot other Pikabot other MURKYTOP other Stuxnet other GeminiDuke other InvisibleFerret other Bankshot other Pony other HyperStack other DUSTTRAP other InvisiMole other P.A.S. Webshell other Kazuar other SHOTPUT other PUNCHBUGGY other S-Type other Duqu other Remsec other Epic other Elise other
Metadata
MITRE ID: T1087.001
STIX ID: attack-pattern--25659dd6-ea12-...
Piattaforme: ESXi, Linux, macOS, Windows
Created: 13/01/2026 17:48
Updated: 06/03/2026 16:00