security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1087/T1087.md
T
CircleCI Atomic Red Team doc generator 65fd85dd3c Generate docs from job=validate_atomics_generate_docs branch=uppercase-everything
2018-05-23 23:09:31 +00:00

124 lines
4.0 KiB
Markdown
Raw Blame History

# T1087 - Account Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087)
<blockquote>Adversaries may attempt to get a listing of local system or domain accounts.
===Windows===
Example commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.
===Mac===
On Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.
===Linux===
On Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file.
Also, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: API monitoring, Process command-line parameters, Process monitoring
Permissions Required: User
Contributors: Travis Smith, Tripwire</blockquote>
## Atomic Tests
- [Atomic Test #1 - List all accounts](#atomic-test-1---list-all-accounts)
- [Atomic Test #2 - View sudoers access](#atomic-test-2---view-sudoers-access)
- [Atomic Test #3 - View accounts with UID 0](#atomic-test-3---view-accounts-with-uid-0)
- [Atomic Test #4 - List opened files by user](#atomic-test-4---list-opened-files-by-user)
- [Atomic Test #5 - Show if a user account has ever logger in remotely](#atomic-test-5---show-if-a-user-account-has-ever-logger-in-remotely)
<br/>
## Atomic Test #1 - List all accounts
xxx
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
cat /etc/passwd > #{output_file}
```
<br/>
<br/>
## Atomic Test #2 - View sudoers access
xxx (requires root)
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
cat /etc/sudoers > #{output_file}
```
<br/>
<br/>
## Atomic Test #3 - View accounts with UID 0
xxx
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
grep 'x:0:' /etc/passwd > #{output_file}
```
<br/>
<br/>
## Atomic Test #4 - List opened files by user
xxx
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
```
<br/>
<br/>
## Atomic Test #5 - Show if a user account has ever logger in remotely
xxx
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
lastlog > #{output_file}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink