Skip to content

Latest commit

 

History

History
365 lines (179 loc) · 6.3 KB

T1087.001.md

File metadata and controls

365 lines (179 loc) · 6.3 KB

T1087.001 - Local Account

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as net user and net localgroup of the Net utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file.

Atomic Tests


Atomic Test #1 - Enumerate all accounts (Local)

Enumerate all accounts by copying /etc/passwd to another file

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1087.001.txt

Attack Commands: Run with sh!

cat /etc/passwd > #{output_file}
cat #{output_file}

Cleanup Commands:

rm -f #{output_file}


Atomic Test #2 - View sudoers access

(requires root)

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1087.001.txt

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo cat /etc/sudoers > #{output_file}
cat #{output_file}

Cleanup Commands:

rm -f #{output_file}


Atomic Test #3 - View accounts with UID 0

View accounts with UID 0

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1087.001.txt

Attack Commands: Run with sh!

grep 'x:0:' /etc/passwd > #{output_file}
cat #{output_file} 2>/dev/null

Cleanup Commands:

rm -f #{output_file} 2>/dev/null


Atomic Test #4 - List opened files by user

List opened files by user

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username


Atomic Test #5 - Show if a user account has ever logged in remotely

Show if a user account has ever logged in remotely

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1087.001.txt

Attack Commands: Run with sh!

lastlog > #{output_file}
cat #{output_file}

Cleanup Commands:

rm -f #{output_file}

Dependencies: Run with sh!

Description: Check if lastlog command exists on the machine
Check Prereq Commands:
if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; 
Get Prereq Commands:
echo "Install lastlog on the machine to run the test."; exit 1;


Atomic Test #6 - Enumerate users and groups

Utilize groups and id to enumerate users and groups

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

groups
id


Atomic Test #7 - Enumerate users and groups

Utilize local utilities to enumerate users and groups

Supported Platforms: macOS

Attack Commands: Run with sh!

dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user


Atomic Test #8 - Enumerate all accounts on Windows (Local)

Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net user
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup


Atomic Test #9 - Enumerate all accounts via PowerShell (Local)

Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.

Supported Platforms: Windows

Attack Commands: Run with powershell!

net user
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-localgroup
net localgroup


Atomic Test #10 - Enumerate logged on users via CMD (Local)

Enumerate logged on users. Upon exeuction, logged on users will be displayed.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

query user


Atomic Test #11 - Enumerate logged on users via PowerShell

Enumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed.

Supported Platforms: Windows

Attack Commands: Run with powershell!

query user