T1087.001 - Account Discovery: Local Account
Description from ATT&CK (opens in a new tab)
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as
net user
andnet localgroup
of the Net (opens in a new tab) utility andid
andgroups
on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the/etc/passwd
file. On macOS, thedscl . list /Users
command can be used to enumerate local accounts. On ESXi servers, theesxcli system account list
command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
Atomic Tests
-
Atomic Test #5 - Show if a user account has ever logged in remotely
-
Atomic Test #9 - Enumerate all accounts via PowerShell (Local)
Atomic Test #1 - Enumerate all accounts (Local)
Enumerate all accounts by copying /etc/passwd to another file
Supported Platforms: Linux
auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt |
Attack Commands: Run with sh
!
cat /etc/passwd > #{output_file}
cat #{output_file}
Cleanup Commands:
rm -f #{output_file}
Atomic Test #2 - View sudoers access
(requires root)
Supported Platforms: Linux, macOS
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt |
Attack Commands: Run with sh
! Elevation Required (e.g. root or admin)
if [ -f /etc/sudoers ]; then sudo cat /etc/sudoers > #{output_file}; fi;
if [ -f /usr/local/etc/sudoers ]; then sudo cat /usr/local/etc/sudoers > #{output_file}; fi;
cat #{output_file}
Cleanup Commands:
rm -f #{output_file}
Atomic Test #3 - View accounts with UID 0
View accounts with UID 0
Supported Platforms: Linux, macOS
auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt |
Attack Commands: Run with sh
!
grep 'x:0:' /etc/passwd > #{output_file}
grep '*:0:' /etc/passwd >> #{output_file}
cat #{output_file} 2>/dev/null
Cleanup Commands:
rm -f #{output_file} 2>/dev/null
Atomic Test #4 - List opened files by user
List opened files by user
Supported Platforms: Linux, macOS
auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
Attack Commands: Run with sh
!
username=$(id -u -n) && lsof -u $username
Dependencies: Run with sh
!
Description: check if lsof exists
Check Prereq Commands:
which lsof
Get Prereq Commands:
(which pkg && pkg install -y lsof)||(which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)
Atomic Test #5 - Show if a user account has ever logged in remotely
Show if a user account has ever logged in remotely
Supported Platforms: Linux
auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt |
Attack Commands: Run with sh
!
[ "$(uname)" = 'FreeBSD' ] && cmd="lastlogin" || cmd="lastlog"
$cmd > #{output_file}
cat #{output_file}
Cleanup Commands:
rm -f #{output_file}
Dependencies: Run with sh
!
Description: Check if lastlog command exists on the machine
Check Prereq Commands:
if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi
Get Prereq Commands:
sudo apt-get install login; exit 1;
Atomic Test #6 - Enumerate users and groups
Utilize groups and id to enumerate users and groups
Supported Platforms: Linux, macOS
auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e
Attack Commands: Run with sh
!
groups
id
Atomic Test #7 - Enumerate users and groups
Utilize local utilities to enumerate users and groups
Supported Platforms: macOS
auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2
Attack Commands: Run with sh
!
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user
Atomic Test #8 - Enumerate all accounts on Windows (Local)
Enumerate all accounts Upon execution, multiple enumeration commands will be run and their output displayed in the PowerShell session
Supported Platforms: Windows
auto_generated_guid: 80887bec-5a9b-4efc-a81d-f83eb2eb32ab
Attack Commands: Run with command_prompt
!
net user
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup
Atomic Test #9 - Enumerate all accounts via PowerShell (Local)
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
Supported Platforms: Windows
auto_generated_guid: ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b
Attack Commands: Run with powershell
!
net user
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-localgroup
net localgroup
Atomic Test #10 - Enumerate logged on users via CMD (Local)
Enumerate logged on users. Upon execution, logged on users will be displayed.
Supported Platforms: Windows
auto_generated_guid: a138085e-bfe5-46ba-a242-74a6fb884af3
Attack Commands: Run with command_prompt
!
query user
Atomic Test #11 - ESXi - Local Account Discovery via ESXCLI
An adversary can use ESXCLI to enumerate a list of all local accounts on an ESXi host. Reference (opens in a new tab)"
Supported Platforms: Windows
auto_generated_guid: 9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
vm_host | Specify the host name or IP of the ESXi server. | string | atomic.local |
vm_user | Specify the privilege user account on the ESXi server. | string | root |
vm_pass | Specify the privileged user's password. | string | password |
plink_file | Path to Plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe |
Attack Commands: Run with command_prompt
!
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system account list"
Dependencies: Run with powershell
!
Description: Check if we have plink
Check Prereq Commands:
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"