cti/enterprise-attack/attack-pattern/attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08.json

{
    "type": "bundle",
    "id": "bundle--6df009af-c99a-4515-b8d6-1fd3c0dd0ff6",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2017-05-31T21:31:06.988Z",
            "modified": "2018-01-17T12:56:55.080Z",
            "name": "Account Discovery",
            "description": "Adversaries may attempt to get a listing of local system or domain accounts. \n\n===Windows===\n\nExample commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.\n\n===Mac===\n\nOn Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.\n\n===Linux===\n\nOn Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file.\n\nAlso, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: API monitoring, Process command-line parameters, Process monitoring\n\nPermissions Required: User\n\nContributors: Travis Smith, Tripwire",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "discovery"
                }
            ],
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/wiki/Technique/T1087",
                    "external_id": "T1087"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_contributors": [
                "Travis Smith, Tripwire"
            ],
            "x_mitre_data_sources": [
                "API monitoring",
                "Process command-line parameters",
                "Process monitoring"
            ],
            "x_mitre_permissions_required": [
                "User"
            ],
            "x_mitre_platforms": [
                "Linux",
                "macOS",
                "Windows"
            ]
        }
    ]
}