security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1087/T1087.yaml
T
Carrie Roberts 0859cb997a removing descriptions of xxx (left over from template) (#546) 
* removing descriptions of xxx (left over from template)

* update input param descriptions

* description update

* removing descriptions of xxx (left over from template)
2019-09-03 14:11:18 -06:00

167 lines
3.5 KiB
YAML
Raw Blame History

---
attack_technique: T1087
display_name: Account Discovery
atomic_tests:
- name: Enumerate all accounts
description: |
Enumerate all accounts by copying /etc/passwd to another file
supported_platforms:
- linux
- macos
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: ~/loot.txt
executor:
name: sh
command: |
cat /etc/passwd > #{output_file}
- name: View sudoers access
description: |
(requires root)
supported_platforms:
- linux
- macos
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: ~/loot.txt
executor:
name: sh
command: |
cat /etc/sudoers > #{output_file}
- name: View accounts with UID 0
description: |
View accounts wtih UID 0
supported_platforms:
- linux
- macos
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: ~/loot.txt
executor:
name: sh
command: |
grep 'x:0:' /etc/passwd > #{output_file} - name: List opened files by user
- name: List opened files by user
description: |
List opened files by user
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
- name: Show if a user account has ever logger in remotely
description: |
Show if a user account has ever logger in remotely
supported_platforms:
- linux
- macos
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: ~/loot.txt
executor:
name: sh
command: |
lastlog > #{output_file}
- name: Enumerate users and groups
description: |
Utilize groups and id to enumerate users and groups
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
groups
id
- name: Enumerate users and groups
description: |
Utilize local utilities to enumerate users and groups
supported_platforms:
- macos
executor:
name: sh
command: |
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user
- name: Enumerate all accounts
description: |
Enumerate all accounts
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
net user
net user /domain
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup
- name: Enumerate all accounts via PowerShell
description: |
Enumerate all accounts via PowerShell
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
net user
net user /domain
get-localuser
get-localgroupmembers -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-aduser -filter *
get-localgroup
net localgroup
- name: Enumerate logged on users
description: |
Enumerate logged on users
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
query user
- name: Enumerate logged on users via PowerShell
description: |
Enumerate logged on users via PowerShell
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
query user
Reference in New Issue View Git Blame Copy Permalink