ID | Name |
---|---|
T1087.001 | Local Account |
T1087.002 | Domain Account |
T1087.003 | Email Account |
T1087.004 | Cloud Account |
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user
and net localgroup
of the Net utility and id
and groups
on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd
file. On macOS the dscl . list /Users
command can be used to enumerate local accounts.
ID | Name | Description |
---|---|---|
G0018 | admin@338 |
admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: |
S0331 | Agent Tesla |
Agent Tesla can collect account information from the victim’s machine.[2] |
G0006 | APT1 |
APT1 used the commands |
G0022 | APT3 |
APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.[4] |
G0050 | APT32 |
APT32 enumerated administrative users using the commands |
S0239 | Bankshot |
Bankshot gathers domain and account names/information through process monitoring.[6] |
S0534 | Bazar |
Bazar can identify administrator accounts on an infected host.[7] |
S0570 | BitPaymer |
BitPaymer can enumerate the sessions for each user logged onto the infected host.[8] |
S0521 | BloodHound |
BloodHound can identify users with local administrator rights.[9] |
G0114 | Chimera | |
S0244 | Comnie | |
S0038 | Duqu |
The discovery modules used with Duqu can collect information on accounts and permissions.[12] |
S0081 | Elise |
Elise executes |
S0363 | Empire |
Empire can acquire local and domain user account information.[14] |
S0091 | Epic |
Epic gathers a list of all user accounts, privilege classes, and time of last logon.[15] |
G0117 | Fox Kitten |
Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.[16] |
S0049 | GeminiDuke |
GeminiDuke collects information on local user accounts from the victim.[17] |
S0537 | HyperStack |
HyperStack can enumerate all account names on a remote share.[18] |
S0260 | InvisiMole |
InvisiMole has a command to list account information on the victim’s machine.[19] |
S0265 | Kazuar |
Kazuar gathers information on local groups and members on the victim’s machine.[20] |
G0004 | Ke3chang |
Ke3chang performs account discovery using commands such as |
S0236 | Kwampirs |
Kwampirs collects a list of accounts with the command |
S0084 | Mis-Type |
Mis-Type may create a file containing the results of the command |
S0233 | MURKYTOP |
MURKYTOP has the capability to retrieve information about users on remote hosts.[24] |
S0039 | Net |
Commands under |
G0049 | OilRig |
OilRig has run |
S0165 | OSInfo | |
S0598 | P.A.S. Webshell |
P.A.S. Webshell can display the /etc/passwd file on a compromised host.[27] |
S0453 | Pony |
Pony has used the |
G0033 | Poseidon Group |
Poseidon Group searches for administrator accounts on both the local victim machine and the network.[29] |
S0378 | PoshC2 |
PoshC2 can enumerate local and domain user account information.[30] |
S0194 | PowerSploit |
PowerSploit's |
S0223 | POWERSTATS |
POWERSTATS can retrieve usernames from compromised hosts.[33] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY can gather user names.[34] |
S0192 | Pupy |
Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.[35] |
S0241 | RATANKBA | |
S0125 | Remsec | |
S0085 | S-Type |
S-Type runs the command |
S0063 | SHOTPUT |
SHOTPUT has a command to retrieve information about connected users.[38] |
S0649 | SMOKEDHAM |
SMOKEDHAM has used |
S0516 | SoreFang |
SoreFang can collect usernames from the local system via |
S0603 | Stuxnet | |
G0027 | Threat Group-3390 |
Threat Group-3390 has used |
S0266 | TrickBot | |
G0010 | Turla |
Turla has used |
S0452 | USBferry |
USBferry can use |
S0476 | Valak |
Valak has the ability to enumerate local admin accounts.[48] |
ID | Mitigation | Description |
---|---|---|
M1028 | Operating System Configuration |
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
DS0009 | Process | OS API Execution |
Process Creation |
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Monitor for processes that can be used to enumerate user accounts, such as net.exe
and net1.exe
, especially when executed in quick succession.[50]