T1087.001: Local Account
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user
and net localgroup
of the Net utility and id
and groups
on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd
file. On macOS the dscl . list /Users
command can be used to enumerate local accounts.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected
hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected
hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected
hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected
unix_mitre_attck_discovery: PT-CR-1686: Unix_Local_Account_Discovery: Listing local users of a Unix system
hacking_tools: PT-CR-2019: SharpHound_Groups_Collection: The SharpHound (BloodHound) utility was started using one of the following collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly. These methods are used to collect information about local user groups on different domain hosts.
hacking_tools: PT-CR-2020: SharpHound_LoggedOn: The SharpHound (BloodHound) utility was started using the LoggedOn method. This method allows you to collect information about user sessions on different domain hosts.
microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients
mitre_attck_discovery: PT-CR-319: Account_Discovery: An attempt to retrieve a list of accounts is detected
mitre_attck_discovery: PT-CR-320: Account_or_Group_discovery_via_SAM_R: An attempt to retrieve a list of accounts via SAM-R is detected
unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance.
pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software
hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts.
hacking_tools: PT-CR-1977: Subrule_SharpHound_LoggedOn: A connection to winreg (2) and wkssvc (1) named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) LoggedOn information collection method
hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth)
hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_to_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method
hacking_tools: PT-CR-1980: Subrule_SharpHound_Access_to_Samr_Srvsvc: A connection to samr and srvsvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of one of the SharpHound (BloodHound) information collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly
mitre_attck_discovery: PT-CR-923: Multiple_Users_Enum: An attempt to enumerate users in the system is detected
mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host
active_directory_attacks: PT-CR-87: Session_enumeration_smb: Unloading active user sessions on a specific node. This will allow an attacker to obtain information about users logged in locally or through a shared SMB network resource. Using this data will allow an attacker to gain access to the intelligence node
mongo_database: PT-CR-532: MongoDB_view_users: An attempt to view a list of accounts in a database
mongo_database: PT-CR-533: MongoDB_view_user_roles: An attempt to view user roles in a database
active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on.
clickhouse: PT-CR-1570: ClickHouse_account_discovery: An attempt to retrieve a list of user accounts is detected
clickhouse: PT-CR-1573: ClickHouse_users_privileges_discovery: An attempt to receive information about user privileges is detected
Detection
ID | DS0036 | Data source and component | Group: Group Enumeration | Description | Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799. |
---|
ID | DS0022 | Data source and component | File: File Access | Description | Monitor access to file resources that contain local accounts and groups information such as If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for processes that can be used to enumerate user accounts and groups such as Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created).
Analytic 1 - Net Discovery Commands
|
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls (such as |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor for execution of commands and arguments associated with enumeration or information gathering of local accounts and groups such as System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. |
---|
Mitigation
ID | M1028 | Name | Operating System Configuration | Description | Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at |
---|