Try it using Invoke-Atomic

Account Discovery: Local Account

Description from ATT&CK

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as <code>net user</code> and <code>net localgroup</code> of the Net utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Enumerate all accounts (Local)

Enumerate all accounts by copying /etc/passwd to another file

Supported Platforms: linux,macos

auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1087.001.txt

Attack Commands: Run with sh!

1
2
3
cat /etc/passwd > #{output_file}
cat #{output_file}

Cleanup Commands:

1
2
rm -f #{output_file}

Atomic Test #2 - View sudoers access

(requires root)

Supported Platforms: linux,macos

auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1087.001.txt

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
sudo cat /etc/sudoers > #{output_file}
cat #{output_file}

Cleanup Commands:

1
2
rm -f #{output_file}

Atomic Test #3 - View accounts with UID 0

View accounts with UID 0

Supported Platforms: linux,macos

auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1087.001.txt

Attack Commands: Run with sh!

1
2
3
grep 'x:0:' /etc/passwd > #{output_file}
cat #{output_file} 2>/dev/null

Cleanup Commands:

1
2
rm -f #{output_file} 2>/dev/null

Atomic Test #4 - List opened files by user

List opened files by user

Supported Platforms: linux,macos

auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb

Inputs:

None

Attack Commands: Run with sh!

1
2
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username

Atomic Test #5 - Show if a user account has ever logged in remotely

Show if a user account has ever logged in remotely

Supported Platforms: linux

auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1087.001.txt

Attack Commands: Run with sh!

1
2
3
lastlog > #{output_file}
cat #{output_file}

Cleanup Commands:

1
2
rm -f #{output_file}

Dependencies: Run with sh!

Description: Check if lastlog command exists on the machine

Check Prereq Commands:

1
2
if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1;

Get Prereq Commands:

1
2
echo "Install lastlog on the machine to run the test."; exit 1;

Atomic Test #6 - Enumerate users and groups

Utilize groups and id to enumerate users and groups

Supported Platforms: linux,macos

auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e

Inputs:

None

Attack Commands: Run with sh!

1
2
3
groups
id

Atomic Test #7 - Enumerate users and groups

Utilize local utilities to enumerate users and groups

Supported Platforms: macos

auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2

Inputs:

None

Attack Commands: Run with sh!

1
2
3
4
5
6
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user

Atomic Test #8 - Enumerate all accounts on Windows (Local)

Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session

Supported Platforms: windows

auto_generated_guid: 80887bec-5a9b-4efc-a81d-f83eb2eb32ab

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
3
4
5
6
net user
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup

Atomic Test #9 - Enumerate all accounts via PowerShell (Local)

Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.

Supported Platforms: windows

auto_generated_guid: ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
8
9
10
net user
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-localgroup
net localgroup

Atomic Test #10 - Enumerate logged on users via CMD (Local)

Enumerate logged on users. Upon exeuction, logged on users will be displayed.

Supported Platforms: windows

auto_generated_guid: a138085e-bfe5-46ba-a242-74a6fb884af3

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
query user

Atomic Test #11 - Enumerate logged on users via PowerShell

Enumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed.

Supported Platforms: windows

auto_generated_guid: 2bdc42c7-8907-40c2-9c2b-42919a00fe03

Inputs:

None

Attack Commands: Run with powershell!

1
2
query user

source