atomic-red-team/atomics/T1087/T1087.md

T1087 - Account Discovery

Description from ATT&CK

Adversaries may attempt to get a listing of local system or domain accounts.

Windows

Example commands that can acquire this information are net user, net group , and net localgroup using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.

Mac

On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

Linux

On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

Also, groups can be enumerated through the groups and id commands.

Office 365 and Azure AD

With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)

Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)

The Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)

Atomic Tests

• Atomic Test #1 - Enumerate all accounts

• Atomic Test #2 - View sudoers access

• Atomic Test #3 - View accounts with UID 0

• Atomic Test #4 - List opened files by user

• Atomic Test #5 - Show if a user account has ever logger in remotely

• Atomic Test #6 - Enumerate users and groups

• Atomic Test #7 - Enumerate users and groups

• Atomic Test #8 - Enumerate all accounts

• Atomic Test #9 - Enumerate all accounts via PowerShell

• Atomic Test #10 - Enumerate logged on users

• Atomic Test #11 - Enumerate logged on users via PowerShell

Atomic Test #1 - Enumerate all accounts

Enumerate all accounts by copying /etc/passwd to another file

Supported Platforms: Linux, macOS

Inputs

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	~/loot.txt

Run it with sh!

cat /etc/passwd > #{output_file}

Atomic Test #2 - View sudoers access

(requires root)

Supported Platforms: Linux, macOS

Inputs

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	~/loot.txt

Run it with sh!

cat /etc/sudoers > #{output_file}

Atomic Test #3 - View accounts with UID 0

View accounts wtih UID 0

Supported Platforms: Linux, macOS

Inputs

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	~/loot.txt

Run it with sh!

grep 'x:0:' /etc/passwd > #{output_file} - name: List opened files by user

Atomic Test #4 - List opened files by user

List opened files by user

Supported Platforms: Linux, macOS

Run it with sh!

username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username

Atomic Test #5 - Show if a user account has ever logger in remotely

Show if a user account has ever logger in remotely

Supported Platforms: Linux, macOS

Inputs

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	~/loot.txt

Run it with sh!

lastlog > #{output_file}

Atomic Test #6 - Enumerate users and groups

Utilize groups and id to enumerate users and groups

Supported Platforms: Linux, macOS

Run it with sh!

groups
id

Atomic Test #7 - Enumerate users and groups

Utilize local utilities to enumerate users and groups

Supported Platforms: macOS

Run it with sh!

dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user

Atomic Test #8 - Enumerate all accounts

Enumerate all accounts

Supported Platforms: Windows

Run it with command_prompt!

net user
net user /domain
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup

Atomic Test #9 - Enumerate all accounts via PowerShell

Enumerate all accounts via PowerShell

Supported Platforms: Windows

Run it with powershell!

net user
net user /domain
get-localuser
get-localgroupmembers -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-aduser -filter *
get-localgroup
net localgroup

Atomic Test #10 - Enumerate logged on users

Enumerate logged on users

Supported Platforms: Windows

Run it with command_prompt!

query user

Atomic Test #11 - Enumerate logged on users via PowerShell

Enumerate logged on users via PowerShell

Supported Platforms: Windows

Run it with powershell!

query user