T1087.md

T1087 - Account Discovery

Description from ATT&CK

Adversaries may attempt to get a listing of local system or domain accounts.

Windows

Example commands that can acquire this information are net user, net group , and net localgroup using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.

Mac

On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

Linux

On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

Also, groups can be enumerated through the groups and id commands.

Office 365 and Azure AD

With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)

Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)

The Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)

Atomic Tests

• Atomic Test #1 - Enumerate all accounts

• Atomic Test #2 - View sudoers access

• Atomic Test #3 - View accounts with UID 0

• Atomic Test #4 - List opened files by user

• Atomic Test #5 - Show if a user account has ever logged in remotely

• Atomic Test #6 - Enumerate users and groups

• Atomic Test #7 - Enumerate users and groups

• Atomic Test #8 - Enumerate all accounts

• Atomic Test #9 - Enumerate all accounts via PowerShell

• Atomic Test #10 - Enumerate logged on users via CMD

• Atomic Test #11 - Enumerate logged on users via PowerShell

• Atomic Test #12 - Automated AD Recon (ADRecon)

Atomic Test #1 - Enumerate all accounts

Enumerate all accounts by copying /etc/passwd to another file

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	/tmp/T1087.txt

Attack Commands: Run with sh!

cat /etc/passwd > #{output_file}
cat #{output_file}

Cleanup Commands:

rm -f #{output_file}

Atomic Test #2 - View sudoers access

(requires root)

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	/tmp/T1087.txt

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

cat /etc/sudoers > #{output_file}
cat #{output_file}

Cleanup Commands:

rm -f #{output_file}

Atomic Test #3 - View accounts with UID 0

View accounts wtih UID 0

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	/tmp/T1087.txt

Attack Commands: Run with sh!

grep 'x:0:' /etc/passwd > #{output_file}
cat #{output_file} 2>/dev/null

Cleanup Commands:

rm -f #{output_file} 2>/dev/null

Atomic Test #4 - List opened files by user

List opened files by user

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username

Atomic Test #5 - Show if a user account has ever logged in remotely

Show if a user account has ever logged in remotely

Supported Platforms: Linux

Inputs:

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	/tmp/T1087.txt

Attack Commands: Run with sh!

lastlog > #{output_file}
cat #{output_file}

Cleanup Commands:

rm -f #{output_file}

Dependencies: Run with sh!

Description: Check if lastlog command exists on the machine

Check Prereq Commands:

if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; 

Get Prereq Commands:

echo "Install lastlog on the machine to run the test."; exit 1;

Atomic Test #6 - Enumerate users and groups

Utilize groups and id to enumerate users and groups

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

groups
id

Atomic Test #7 - Enumerate users and groups

Utilize local utilities to enumerate users and groups

Supported Platforms: macOS

Attack Commands: Run with sh!

dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user

Atomic Test #8 - Enumerate all accounts

Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net user
net user /domain
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup

Atomic Test #9 - Enumerate all accounts via PowerShell

Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.

Supported Platforms: Windows

Attack Commands: Run with powershell!

net user
net user /domain
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-aduser -filter *
get-localgroup
net localgroup

Atomic Test #10 - Enumerate logged on users via CMD

Enumerate logged on users. Upon exeuction, logged on users will be displayed.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

query user

Atomic Test #11 - Enumerate logged on users via PowerShell

Enumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed.

Supported Platforms: Windows

Attack Commands: Run with powershell!

query user

Atomic Test #12 - Automated AD Recon (ADRecon)

ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
adrecon_path	Path of ADRecon.ps1 file	Path	$env:TEMP\ADRecon.ps1

Attack Commands: Run with powershell!

Invoke-Expression #{adrecon_path}

Cleanup Commands:

Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null
Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse

Dependencies: Run with powershell!

Description: ADRecon must exist on disk at specified location (#{adrecon_path})

Check Prereq Commands:

if (Test-Path #{adrecon_path}) {exit 0} else {exit 1} 

Get Prereq Commands:

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path}