Nathan
217 lines
6.6 KiB
YAML
217 lines
6.6 KiB
YAML
attack_technique: T1087.001
|
|
display_name: 'Account Discovery: Local Account'
|
|
atomic_tests:
|
|
- name: Enumerate all accounts (Local)
|
|
auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f
|
|
description: |
|
|
Enumerate all accounts by copying /etc/passwd to another file
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1087.001.txt
|
|
executor:
|
|
command: |
|
|
cat /etc/passwd > #{output_file}
|
|
cat #{output_file}
|
|
cleanup_command: |
|
|
rm -f #{output_file}
|
|
name: sh
|
|
- name: View sudoers access
|
|
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
|
|
description: |
|
|
(requires root)
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1087.001.txt
|
|
executor:
|
|
command: |
|
|
if [ -f /etc/sudoers ]; then sudo cat /etc/sudoers > #{output_file}; fi;
|
|
if [ -f /usr/local/etc/sudoers ]; then sudo cat /usr/local/etc/sudoers > #{output_file}; fi;
|
|
cat #{output_file}
|
|
cleanup_command: |
|
|
rm -f #{output_file}
|
|
name: sh
|
|
elevation_required: true
|
|
- name: View accounts with UID 0
|
|
auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397
|
|
description: |
|
|
View accounts with UID 0
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1087.001.txt
|
|
executor:
|
|
command: |
|
|
grep 'x:0:' /etc/passwd > #{output_file}
|
|
grep '*:0:' /etc/passwd >> #{output_file}
|
|
cat #{output_file} 2>/dev/null
|
|
cleanup_command: |
|
|
rm -f #{output_file} 2>/dev/null
|
|
name: sh
|
|
- name: List opened files by user
|
|
auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
|
|
description: |
|
|
List opened files by user
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
username=$(id -u -n) && lsof -u $username
|
|
name: sh
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
check if lsof exists
|
|
prereq_command: |
|
|
which lsof
|
|
get_prereq_command: |
|
|
(which pkg && pkg install -y lsof)||(which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)
|
|
- name: Show if a user account has ever logged in remotely
|
|
auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110
|
|
description: |
|
|
Show if a user account has ever logged in remotely
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1087.001.txt
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
Check if lastlog command exists on the machine
|
|
prereq_command: |
|
|
if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi
|
|
get_prereq_command: |
|
|
sudo apt-get install login; exit 1;
|
|
executor:
|
|
command: |
|
|
[ "$(uname)" = 'FreeBSD' ] && cmd="lastlogin" || cmd="lastlog"
|
|
$cmd > #{output_file}
|
|
cat #{output_file}
|
|
cleanup_command: |
|
|
rm -f #{output_file}
|
|
name: sh
|
|
- name: Enumerate users and groups
|
|
auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e
|
|
description: |
|
|
Utilize groups and id to enumerate users and groups
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
groups
|
|
id
|
|
name: sh
|
|
- name: Enumerate users and groups
|
|
auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2
|
|
description: |
|
|
Utilize local utilities to enumerate users and groups
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
command: |
|
|
dscl . list /Groups
|
|
dscl . list /Users
|
|
dscl . list /Users | grep -v '_'
|
|
dscacheutil -q group
|
|
dscacheutil -q user
|
|
name: sh
|
|
- name: Enumerate all accounts on Windows (Local)
|
|
auto_generated_guid: 80887bec-5a9b-4efc-a81d-f83eb2eb32ab
|
|
description: |
|
|
Enumerate all accounts
|
|
Upon execution, multiple enumeration commands will be run and their output displayed in the PowerShell session
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
net user
|
|
dir c:\Users\
|
|
cmdkey.exe /list
|
|
net localgroup "Users"
|
|
net localgroup
|
|
name: command_prompt
|
|
- name: Enumerate all accounts via PowerShell (Local)
|
|
auto_generated_guid: ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b
|
|
description: |
|
|
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
net user
|
|
get-localuser
|
|
get-localgroupmember -group Users
|
|
cmdkey.exe /list
|
|
ls C:/Users
|
|
get-childitem C:\Users\
|
|
dir C:\Users\
|
|
get-localgroup
|
|
net localgroup
|
|
name: powershell
|
|
- name: Enumerate logged on users via CMD (Local)
|
|
auto_generated_guid: a138085e-bfe5-46ba-a242-74a6fb884af3
|
|
description: |
|
|
Enumerate logged on users. Upon execution, logged on users will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
query user
|
|
name: command_prompt
|
|
- name: ESXi - Local Account Discovery via ESXCLI
|
|
auto_generated_guid: 9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c
|
|
description: |
|
|
An adversary can use ESXCLI to enumerate a list of all local accounts on an ESXi host.
|
|
[Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#account%20enumeration)"
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
vm_host:
|
|
description: Specify the host name or IP of the ESXi server.
|
|
type: string
|
|
default: atomic.local
|
|
vm_user:
|
|
description: Specify the privilege user account on the ESXi server.
|
|
type: string
|
|
default: root
|
|
vm_pass:
|
|
description: Specify the privileged user's password.
|
|
type: string
|
|
default: password
|
|
plink_file:
|
|
description: Path to Plink
|
|
type: path
|
|
default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Check if we have plink
|
|
prereq_command: |
|
|
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
|
|
executor:
|
|
command: |
|
|
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system account list"
|
|
name: command_prompt
|
|
elevation_required: false
|
|
|