Merge pull request #48 from JimmyAstle/Discovery/Account_Linux

Discovery/account_Linux

Linux/Discovery/Account_Discovery.md

@@ -6,6 +6,18 @@ List of all accounts:
 
     cat /etc/passwd
 
+View sudoers access (requires root):
+
+    cat /etc/sudoers > /tmp/loot.txt
+
+View accounts with UID 0:
+
+    grep 'x:0:' /etc/passwd > /tmp/loot.txt
+
+List opened files by user:
+
+    username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
+
 Currently logged in:
 
 Local:
@@ -15,3 +27,7 @@ Local:
 Remote:
 
     finger @<computer_name>
+
+Show if a user account has ever logged in remotely:
+
+    lastlog > /tmp/loot.txt

Linux/README.md

@@ -2,7 +2,7 @@
 
 | Persistence                  | Privilege Escalation          | Defense Evasion               | Credential Access                      | Discovery                              | Lateral Movement                | Execution                | Collection                     | Exfiltration                                  | Command and Control                     |
 |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
-| .bash_profile and .bashrc    | Exploitation of Vulnerability | Binary Padding                | [Bash History](Credential_Access/Bash_History.md)                           | Account Discovery                      | Application Deployment Software | Command-Line Interface   | Audio Capture                  | Automated Exfiltration                        | Commonly Used Port                      |
+| .bash_profile and .bashrc    | Exploitation of Vulnerability | Binary Padding                | [Bash History](Credential_Access/Bash_History.md)                           | [Account Discovery](Discovery/Account_Discovery.md)                      | Application Deployment Software | Command-Line Interface   | Audio Capture                  | Automated Exfiltration                        | Commonly Used Port                      |
 | Bootkit                      | Setuid and Setgid             | [Clear Command History](Defense_Evasion/Clear_Command_History.md)          | Brute Force                            | File and Directory Discovery           | Exploitation of Vulnerability   | Graphical User Interface | Automated Collection           | Data Compressed                               | Communication Through Removable Media   |
 | [Cron Job](Persistence/Cron_Job.md)                     | Sudo                          | Disabling Security Tools      | [Create Account](Credential_Access/Create_Account.md)                         | Permission Groups Discovery            | Remote File Copy                | Scripting                | Clipboard Data                 | Data Encrypted                                | Connection Proxy                        |
 | Hidden Files and Directories | Valid Accounts                | Exploitation of Vulnerability | Credentials in Files                   | Process Discovery                      | Remote Services                 | Source                   | Data Staged                    | Data Transfer Size Limits                     | Custom Command and Control Protocol     |