Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as <code>net user</code> and <code>net localgroup</code> of the Net utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-6 | Configuration Settings | Protects | T1087.001 | Local Account |
| CM-7 | Least Functionality | Protects | T1087.001 | Local Account |
| SI-4 | System Monitoring | Protects | T1087.001 | Local Account |
| action.hacking.variety.Footprinting | Footprinting and fingerprinting | related-to | T1087.001 | Account Discovery: Local Account |