Last reviewed:
Detection coverage in DCV across AWS, Azure and GCP for Account Discovery, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-05-21.
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.
Platforms: ESXi, IaaS, Identity Provider, Linux, macOS, Office Suite, SaaS, Windows.
DCV maps 1 detection across 1 cloud provider to T1087. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma has coverage metadata for 1 T1087 rule across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1087, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
Detection coverage in DCV across AWS, Azure and GCP for Account Discovery, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-05-21.
DCV maps 1 cloud-native detections to T1087 across 1 cloud providers, drawn from GCP Chronicle.
T1087 is part of MITRE ATT&CK TA0007 Discovery: How adversaries learn what they have access to.
CloudSigma ships 3 validated Sigma rules for T1087 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.