MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1087.001: Local Account

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as net user and net localgroup of the Net utility and id and groups on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected
hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected
hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected
hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected
unix_mitre_attck_discovery: PT-CR-1686: Unix_Local_Account_Discovery: Listing local users of a Unix system
hacking_tools: PT-CR-2019: SharpHound_Groups_Collection: The SharpHound (BloodHound) utility was started using one of the following collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly. These methods are used to collect information about local user groups on different domain hosts.
hacking_tools: PT-CR-2020: SharpHound_LoggedOn: The SharpHound (BloodHound) utility was started using the LoggedOn method. This method allows you to collect information about user sessions on different domain hosts.
microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients
mitre_attck_discovery: PT-CR-319: Account_Discovery: An attempt to retrieve a list of accounts is detected
mitre_attck_discovery: PT-CR-320: Account_or_Group_discovery_via_SAM_R: An attempt to retrieve a list of accounts via SAM-R is detected
unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance.
pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software
hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts.
hacking_tools: PT-CR-1977: Subrule_SharpHound_LoggedOn: A connection to winreg (2) and wkssvc (1) named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) LoggedOn information collection method
hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth)
hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_to_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method
hacking_tools: PT-CR-1980: Subrule_SharpHound_Access_to_Samr_Srvsvc: A connection to samr and srvsvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of one of the SharpHound (BloodHound) information collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly
mitre_attck_discovery: PT-CR-923: Multiple_Users_Enum: An attempt to enumerate users in the system is detected
mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host
active_directory_attacks: PT-CR-87: Session_enumeration_smb: Unloading active user sessions on a specific node. This will allow an attacker to obtain information about users logged in locally or through a shared SMB network resource. Using this data will allow an attacker to gain access to the intelligence node
mongo_database: PT-CR-532: MongoDB_view_users: An attempt to view a list of accounts in a database
mongo_database: PT-CR-533: MongoDB_view_user_roles: An attempt to view user roles in a database
active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on.
clickhouse: PT-CR-1570: ClickHouse_account_discovery: An attempt to retrieve a list of user accounts is detected
clickhouse: PT-CR-1573: ClickHouse_users_privileges_discovery: An attempt to receive information about user privileges is detected

Detection

IDDS0036Data source and componentGroup: Group EnumerationDescription

Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.

IDDS0022Data source and componentFile: File AccessDescription

Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the Windows SAM database.

If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.   Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created).

  • For Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on the enumeration/reading of files that store local users, including /etc/passwd.
  • For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as id and groups.

Analytic 1 - Net Discovery Commands

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") Image="net.exe" OR Image="net1.exe"

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls (such as NetUserEnum()) that may attempt to gather local accounts information such as type of user, privileges and groups.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor for execution of commands and arguments associated with enumeration or information gathering of local accounts and groups such as net user, net account, net localgroup, Get-LocalUser, and dscl.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Mitigation

IDM1028NameOperating System ConfigurationDescription

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.