Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Discovery
  4. >ATTACK-T1087.001
ATTACK-T1087.001Active

Local Account

Statement

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as <code>net user</code> and <code>net localgroup</code> of the Net utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS, the <code>dscl . list /Users</code> command can be used to enumerate local accounts. On ESXi servers, the esxcli system account list command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)

Location

Tactic
Discovery

Technique Details

Identifier
ATTACK-T1087.001
Parent Technique
ATTACK-T1087
ATT&CK Page
View on MITRE

Tactics

Discovery

Platforms

ESXiLinuxmacOSWindows

Detection

Local Account Enumeration Across Host Platforms

Mitigations

Operating System Configuration: Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

  • Turn off SMBv1, LLMNR, and NetBIOS where not needed.
  • Disable remote registry and unnecessary services.

Enforce OS-level Protections:

  • Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows.
  • Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

  • Enable User Account Control (UAC) for Windows.
  • Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

  • Implement least-privilege access for critical files and system directories.
  • Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

  • Restrict RDP, SSH, and VNC to authorized IPs using firewall rules.
  • Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

  • Enable Secure Boot and enforce UEFI/BIOS password protection.
  • Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

  • Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

Tools for Implementation

Windows:

  • Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings.
  • Windows Defender Exploit Guard: Built-in OS protection against exploits.
  • CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

  • AppArmor/SELinux: Enforce mandatory access controls.
  • Lynis: Perform comprehensive security audits.
  • SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

  • Ansible or Chef/Puppet: Automate configuration hardening at scale.
  • OpenSCAP: Perform compliance and configuration checks.
SP 800-53
SP800-53-CM-6relatedvia ctid-attack-to-sp800-53
SP800-53-CM-7relatedvia ctid-attack-to-sp800-53
SP800-53-SI-4relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Discovery
Discovery43 controls
ATTACK-T1007System Service DiscoveryATTACK-T1010Application Window DiscoveryATTACK-T1012Query RegistryATTACK-T1016System Network Configuration DiscoveryATTACK-T1016.001Internet Connection DiscoveryATTACK-T1016.002Wi-Fi DiscoveryATTACK-T1018Remote System DiscoveryATTACK-T1033System Owner/User DiscoveryATTACK-T1046Network Service DiscoveryATTACK-T1049System Network Connections DiscoveryATTACK-T1057Process DiscoveryATTACK-T1069Permission Groups DiscoveryATTACK-T1069.001Local GroupsATTACK-T1069.002Domain GroupsATTACK-T1069.003Cloud GroupsATTACK-T1082System Information DiscoveryATTACK-T1083File and Directory DiscoveryATTACK-T1087Account DiscoveryATTACK-T1087.001Local AccountATTACK-T1087.002Domain AccountATTACK-T1087.003Email AccountATTACK-T1087.004Cloud AccountATTACK-T1120Peripheral Device DiscoveryATTACK-T1124System Time DiscoveryATTACK-T1135Network Share DiscoveryATTACK-T1201Password Policy DiscoveryATTACK-T1217Browser Information DiscoveryATTACK-T1482Domain Trust DiscoveryATTACK-T1518Software DiscoveryATTACK-T1518.001Security Software DiscoveryATTACK-T1518.002Backup Software DiscoveryATTACK-T1526Cloud Service DiscoveryATTACK-T1538Cloud Service DashboardATTACK-T1580Cloud Infrastructure DiscoveryATTACK-T1613Container and Resource DiscoveryATTACK-T1614System Location DiscoveryATTACK-T1614.001System Language DiscoveryATTACK-T1615Group Policy DiscoveryATTACK-T1619Cloud Storage Object DiscoveryATTACK-T1652Device Driver DiscoveryATTACK-T1654Log EnumerationATTACK-T1673Virtual Machine DiscoveryATTACK-T1680Local Storage Discovery