atomic-red-team/atomics/T1087/T1087.md

T1087 - Account Discovery

Description from ATT&CK

Adversaries may attempt to get a listing of local system or domain accounts.

===Windows===

Example commands that can acquire this information are net user, net group , and net localgroup using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.

===Mac===

On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

===Linux===

On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

Also, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Platforms: Linux, macOS, Windows

Data Sources: API monitoring, Process command-line parameters, Process monitoring

Permissions Required: User

Contributors: Travis Smith, Tripwire

Atomic Tests

• Atomic Test #1 - List all accounts

• Atomic Test #2 - View sudoers access

• Atomic Test #3 - View accounts with UID 0

• Atomic Test #4 - List opened files by user

• Atomic Test #5 - Show if a user account has ever logger in remotely

Atomic Test #1 - List all accounts

xxx

Supported Platforms: Linux, macOS

Inputs

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	~/loot.txt

Run it with sh!

cat /etc/passwd > #{output_file}

Atomic Test #2 - View sudoers access

xxx (requires root)

Supported Platforms: Linux, macOS

Inputs

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	~/loot.txt

Run it with sh!

cat /etc/sudoers > #{output_file}

Atomic Test #3 - View accounts with UID 0

xxx

Supported Platforms: Linux, macOS

Inputs

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	~/loot.txt

Run it with sh!

grep 'x:0:' /etc/passwd > #{output_file}

Atomic Test #4 - List opened files by user

xxx

Supported Platforms: Linux, macOS

Run it with sh!

username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username

Atomic Test #5 - Show if a user account has ever logger in remotely

xxx

Supported Platforms: Linux, macOS

Run it with sh!

lastlog > #{output_file}