Account Discovery

MITRE ATT&CK Technique: T1087

List of all accounts:

cat /etc/passwd

View sudoers access (requires root):

cat /etc/sudoers > /tmp/loot.txt

View accounts with UID 0:

grep 'x:0:' /etc/passwd > /tmp/loot.txt

List opened files by user:

username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username

Currently logged in:

Local:

finger

Remote:

finger @<computer_name>

Show if a user account has ever logged in remotely:

lastlog > /tmp/loot.txt