Technique on mitre.org

T1087.001: Local Account

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as net user and net localgroup of the Net utility and id and groups on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

samba_active_directory_attacks: PT-CR-2955: SambaDC_Active_Directory_Data_Collection: LDAP requests to collect domain information were executed using the AD Explorer, SharpHound, JXplorer, or LDAP Administrator utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. mongo_database: PT-CR-532: MongoDB_View_Users: An attempt to view a list of accounts in a database mongo_database: PT-CR-533: MongoDB_View_User_Roles: An attempt to view user roles in a database pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients mitre_attck_discovery: PT-CR-3040: Multiple_SrvSvc_Share_Access: Multiple connections to the SrvSvc network resource from the same host. Such behavior is typical for utilities that use the Win32 API function called NetSessionEnum that allows you to get a list of active user sessions on remote hosts. mitre_attck_discovery: PT-CR-2548: LocalGroupListMembers_From_Remote_Host: A security-enabled local group membership was enumerated from a remote host mitre_attck_discovery: PT-CR-320: Account_Or_Group_Discovery_Via_SAM_R: Attempt to retrieve an account list by making a SAM-R call mitre_attck_discovery: PT-CR-2753: NullSession_System_Discovery: Remote connection to the SAMR and LSARPC named pipes from the same host on behalf of an anonymous account. This may indicate the collection of information about the target system without using credentials (Null Session). mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host mitre_attck_discovery: PT-CR-319: Account_Discovery: An attempt to retrieve a list of accounts is detected mitre_attck_discovery: PT-CR-923: Multiple_Users_Enum: An attempt to enumerate users in the system is detected bruteforce: PT-CR-887: Windows_Password_Spraying: Password spraying on a Windows host. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-1977: Subrule_SharpHound_LoggedOn: A connection to the winreg (2) and wkssvc (1) pipes under the account of the same user from the same host was detected. This may indicate the use of the SharpHound (BloodHound) LoggedOn information collection technique hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_To_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method hacking_tools: PT-CR-2020: SharpHound_LoggedOn: The SharpHound (BloodHound) utility was started using the LoggedOn method. This method allows you to collect information about user sessions on different domain hosts. hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2019: SharpHound_Groups_Collection: The SharpHound (BloodHound) utility was started using one of the following collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly. These methods are used to collect information about local user groups on different domain hosts. hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1980: Subrule_SharpHound_Access_To_Samr_Srvsvc: A connection to the samr and srvsvc named pipes under the account of the same user from the same host was detected. This may indicate the use of one of the SharpHound (BloodHound) information collection techniques: LocalGroup, RDP, DCOM, LocalAdmin, or ComputerOnly hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts. hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with SharpHound or BloodHound software unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance. unix_mitre_attck_discovery: PT-CR-1686: Unix_Local_Account_Discovery: Listing local users of a Unix system clickhouse: PT-CR-1573: ClickHouse_Users_Privileges_Discovery: An attempt to receive information about user privileges is detected clickhouse: PT-CR-1570: ClickHouse_Account_Discovery: An attempt to retrieve a list of user accounts is detected active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on.

Detection

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls (such as `NetUserEnum()`) that may attempt to gather local accounts information such as type of user, privileges and groups.

ID	DS0036	Data source and component	Group: Group Enumeration	Description	Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for processes that can be used to enumerate user accounts and groups such as `net.exe` and `net1.exe`, especially when executed in quick succession. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). For Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on the enumeration/reading of files that store local users, including `/etc/passwd`. For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as `id` and `groups`. Analytic 1 - Net Discovery Commands `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="net.exe" OR Image="net1.exe"`

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor for execution of commands and arguments associated with enumeration or information gathering of local accounts and groups such as `net user`, `net account`, `net localgroup`, `Get-LocalUser`, and `dscl`. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

ID	DS0022	Data source and component	File: File Access	Description	Monitor access to file resources that contain local accounts and groups information such as `/etc/passwd`, `/Users` directories, and the Windows SAM database. If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

ID	Data source and component	Description
DS0009	Process: OS API Execution	Monitor for API calls (such as `NetUserEnum()`) that may attempt to gather local accounts information such as type of user, privileges and groups.
DS0036	Group: Group Enumeration	Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
DS0009	Process: Process Creation	Monitor for processes that can be used to enumerate user accounts and groups such as `net.exe` and `net1.exe`, especially when executed in quick succession. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). For Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on the enumeration/reading of files that store local users, including `/etc/passwd`. For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as `id` and `groups`. Analytic 1 - Net Discovery Commands `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="net.exe" OR Image="net1.exe"`
DS0017	Command: Command Execution	Monitor for execution of commands and arguments associated with enumeration or information gathering of local accounts and groups such as `net user`, `net account`, `net localgroup`, `Get-LocalUser`, and `dscl`. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
DS0022	File: File Access	Monitor access to file resources that contain local accounts and groups information such as `/etc/passwd`, `/Users` directories, and the Windows SAM database. If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

Mitigation

ID	M1028	Name	Operating System Configuration	Description	Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at `HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators`. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.

ID	Name	Description
M1028	Operating System Configuration	Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at `HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators`. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.