Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.Commands such as
net userandnet localgroupof the Net utility andidandgroupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the/etc/passwdfile.
-
Atomic Test #5 - Show if a user account has ever logged in remotely
-
Atomic Test #9 - Enumerate all accounts via PowerShell (Local)
Enumerate all accounts by copying /etc/passwd to another file
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt |
cat /etc/passwd > #{output_file}
cat #{output_file}rm -f #{output_file}(requires root)
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt |
sudo cat /etc/sudoers > #{output_file}
cat #{output_file}rm -f #{output_file}View accounts with UID 0
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt |
grep 'x:0:' /etc/passwd > #{output_file}
cat #{output_file} 2>/dev/nullrm -f #{output_file} 2>/dev/nullList opened files by user
Supported Platforms: Linux, macOS
username=$(id -u -n) && lsof -u $usernameShow if a user account has ever logged in remotely
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt |
lastlog > #{output_file}
cat #{output_file}rm -f #{output_file}if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; echo "Install lastlog on the machine to run the test."; exit 1;Utilize groups and id to enumerate users and groups
Supported Platforms: Linux, macOS
groups
idUtilize local utilities to enumerate users and groups
Supported Platforms: macOS
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q userEnumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
Supported Platforms: Windows
net user
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroupEnumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
Supported Platforms: Windows
net user
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-localgroup
net localgroupEnumerate logged on users. Upon exeuction, logged on users will be displayed.
Supported Platforms: Windows
query userEnumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed.
Supported Platforms: Windows
query user