Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as <code>net user</code> and <code>net localgroup</code> of the Net utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CM-6 | Configuration Settings | Protects | T1087.001 | Local Account | |
CM-7 | Least Functionality | Protects | T1087.001 | Local Account | |
SI-4 | System Monitoring | Protects | T1087.001 | Local Account | |
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1087.001 | Local Account |
Comments
This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".
References
|
azure_sentinel | Azure Sentinel | technique_scores | T1087.001 | Local Account |
Comments
The Azure Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious account discovery through the use of the net tool.
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.
References
|
azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1087.001 | Local Account |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-ProcessTokenGroup module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|