T1087.001
Account Discovery: Local Account
Description from ATT&CK
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user and net localgroup of the Net utility and id and groups_on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the _/etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.
Atomic Tests
Atomic Test #1 - Enumerate all accounts (Local)
Enumerate all accounts by copying /etc/passwd to another file
Supported Platforms: linux
auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt |
Attack Commands: Run with sh!
1
2
3
cat /etc/passwd > #{output_file}
cat #{output_file}
Cleanup Commands:
1
2
rm -f #{output_file}
Atomic Test #2 - View sudoers access
(requires root)
Supported Platforms: linux,macos
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo cat /etc/sudoers > #{output_file}
cat #{output_file}
Cleanup Commands:
1
2
rm -f #{output_file}
Atomic Test #3 - View accounts with UID 0
View accounts with UID 0
Supported Platforms: linux,macos
auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt |
Attack Commands: Run with sh!
1
2
3
grep 'x:0:' /etc/passwd > #{output_file}
cat #{output_file} 2>/dev/null
Cleanup Commands:
1
2
rm -f #{output_file} 2>/dev/null
Atomic Test #4 - List opened files by user
List opened files by user
Supported Platforms: linux,macos
auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
Inputs:
None
Attack Commands: Run with sh!
1
2
username=$(id -u -n) && lsof -u $username
Dependencies: Run with sh!
Description: check if lsof exists
Check Prereq Commands:
1
2
which lsof
Get Prereq Commands:
1
2
(which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)
Atomic Test #5 - Show if a user account has ever logged in remotely
Show if a user account has ever logged in remotely
Supported Platforms: linux
auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt |
Attack Commands: Run with sh!
1
2
3
lastlog > #{output_file}
cat #{output_file}
Cleanup Commands:
1
2
rm -f #{output_file}
Dependencies: Run with sh!
Description: Check if lastlog command exists on the machine
Check Prereq Commands:
1
2
if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi
Get Prereq Commands:
1
2
sudo apt-get install login; exit 1;
Atomic Test #6 - Enumerate users and groups
Utilize groups and id to enumerate users and groups
Supported Platforms: linux,macos
auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e
Inputs:
None
Attack Commands: Run with sh!
1
2
3
groups
id
Atomic Test #7 - Enumerate users and groups
Utilize local utilities to enumerate users and groups
Supported Platforms: macos
auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2
Inputs:
None
Attack Commands: Run with sh!
1
2
3
4
5
6
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user
Atomic Test #8 - Enumerate all accounts on Windows (Local)
Enumerate all accounts Upon execution, multiple enumeration commands will be run and their output displayed in the PowerShell session
Supported Platforms: windows
auto_generated_guid: 80887bec-5a9b-4efc-a81d-f83eb2eb32ab
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
3
4
5
6
net user
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup
Atomic Test #9 - Enumerate all accounts via PowerShell (Local)
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
Supported Platforms: windows
auto_generated_guid: ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
8
9
10
net user
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-localgroup
net localgroup
Atomic Test #10 - Enumerate logged on users via CMD (Local)
Enumerate logged on users. Upon execution, logged on users will be displayed.
Supported Platforms: windows
auto_generated_guid: a138085e-bfe5-46ba-a242-74a6fb884af3
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
query user