T1087.001 - Account Discovery: Local Account

Description from ATT&CK

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.

Atomic Tests


Atomic Test #1 - Enumerate all accounts (Local)

Enumerate all accounts by copying /etc/passwd to another file

Supported Platforms: Linux

auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt|

Attack Commands: Run with 
1

sh
!

1
2

cat /etc/passwd > #{output_file}
cat #{output_file}

Cleanup Commands:

1

rm -f #{output_file}



Atomic Test #2 - View sudoers access

(requires root)

Supported Platforms: Linux, macOS

auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt|

Attack Commands: Run with 
1

sh
! Elevation Required (e.g. root or admin)

1
2
3

if [ -f /etc/sudoers ]; then sudo cat /etc/sudoers > #{output_file}; fi;
if [ -f /usr/local/etc/sudoers ]; then sudo cat /usr/local/etc/sudoers > #{output_file}; fi;
cat #{output_file}

Cleanup Commands:

1

rm -f #{output_file}



Atomic Test #3 - View accounts with UID 0

View accounts with UID 0

Supported Platforms: Linux, macOS

auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt|

Attack Commands: Run with 
1

sh
!

1
2
3

grep 'x:0:' /etc/passwd > #{output_file}
grep '*:0:' /etc/passwd >> #{output_file}
cat #{output_file} 2>/dev/null

Cleanup Commands:

1

rm -f #{output_file} 2>/dev/null



Atomic Test #4 - List opened files by user

List opened files by user

Supported Platforms: Linux, macOS

auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb

Attack Commands: Run with 
1

sh
!

1

username=$(id -u -n) && lsof -u $username

Dependencies: Run with 
1

sh
!

Description: check if lsof exists
Check Prereq Commands:
1

which lsof
Get Prereq Commands:
1

(which pkg && pkg install -y lsof)||(which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)



Atomic Test #5 - Show if a user account has ever logged in remotely

Show if a user account has ever logged in remotely

Supported Platforms: Linux

auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt|

Attack Commands: Run with 
1

sh
!

1
2
3

[ "$(uname)" = 'FreeBSD' ] && cmd="lastlogin" || cmd="lastlog" 
$cmd > #{output_file}
cat #{output_file}

Cleanup Commands:

1

rm -f #{output_file}

Dependencies: Run with 
1

sh
!

Description: Check if lastlog command exists on the machine
Check Prereq Commands:
1

if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi
Get Prereq Commands:
1

sudo apt-get install login; exit 1;



Atomic Test #6 - Enumerate users and groups

Utilize groups and id to enumerate users and groups

Supported Platforms: Linux, macOS

auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e

Attack Commands: Run with 
1

sh
!

1
2

groups
id



Atomic Test #7 - Enumerate users and groups

Utilize local utilities to enumerate users and groups

Supported Platforms: macOS

auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2

Attack Commands: Run with 
1

sh
!

1
2
3
4
5

dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user



Atomic Test #8 - Enumerate all accounts on Windows (Local)

Enumerate all accounts Upon execution, multiple enumeration commands will be run and their output displayed in the PowerShell session

Supported Platforms: Windows

auto_generated_guid: 80887bec-5a9b-4efc-a81d-f83eb2eb32ab

Attack Commands: Run with 
1

command_prompt
!

net user
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup



Atomic Test #9 - Enumerate all accounts via PowerShell (Local)

Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.

Supported Platforms: Windows

auto_generated_guid: ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b

Attack Commands: Run with 
1

powershell
!

1
2
3
4
5
6
7
8
9

net user
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-localgroup
net localgroup



Atomic Test #10 - Enumerate logged on users via CMD (Local)

Enumerate logged on users. Upon execution, logged on users will be displayed.

Supported Platforms: Windows

auto_generated_guid: a138085e-bfe5-46ba-a242-74a6fb884af3

Attack Commands: Run with 
1

command_prompt
!

query user