T1087.001 Local Account
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user
and net localgroup
of the Net utility and id
and groups
on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd
file. On macOS the dscl . list /Users
command can be used to enumerate local accounts.
Item | Value |
---|---|
ID | T1087.001 |
Sub-techniques | T1087.001, T1087.002, T1087.003, T1087.004 |
Tactics | TA0007 |
Platforms | Linux, Windows, macOS |
Version | 1.4 |
Created | 21 February 2020 |
Last Modified | 13 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0018 | admin@338 | admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download 45 |
S0331 | Agent Tesla | Agent Tesla can collect account information from the victim’s machine.30 |
G0006 | APT1 | APT1 used the commands net localgroup ,net user , and net group to find accounts on the system.52 |
G0022 | APT3 | APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.14 |
G0050 | APT32 | APT32 enumerated administrative users using the commands net localgroup administrators .47 |
S0239 | Bankshot | Bankshot gathers domain and account names/information through process monitoring.24 |
S0534 | Bazar | Bazar can identify administrator accounts on an infected host.11 |
S0570 | BitPaymer | BitPaymer can enumerate the sessions for each user logged onto the infected host.21 |
S0521 | BloodHound | BloodHound can identify users with local administrator rights.7 |
G0114 | Chimera | Chimera has used net user for account discovery.48 |
S0244 | Comnie | Comnie uses the net user command.36 |
S0038 | Duqu | The discovery modules used with Duqu can collect information on accounts and permissions.38 |
S0081 | Elise | Elise executes net user after initial communication is made to the remote server.12 |
S0363 | Empire | Empire can acquire local and domain user account information.6 |
S0091 | Epic | Epic gathers a list of all user accounts, privilege classes, and time of last logon.29 |
G0117 | Fox Kitten | Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.50 |
S0049 | GeminiDuke | GeminiDuke collects information on local user accounts from the victim.17 |
S0537 | HyperStack | HyperStack can enumerate all account names on a remote share.31 |
S0260 | InvisiMole | InvisiMole has a command to list account information on the victim’s machine.32 |
S0265 | Kazuar | Kazuar gathers information on local groups and members on the victim’s machine.23 |
G0004 | Ke3chang | Ke3chang performs account discovery using commands such as net localgroup administrators and net group “REDACTED” /domain on specific permissions groups.46 |
S0236 | Kwampirs | Kwampirs collects a list of accounts with the command net users .20 |
S1015 | Milan | Milan has run C:\Windows\system32\cmd.exe /c cmd /c dir c:\users\ /s 2>&1 to discover local accounts.28 |
S0084 | Mis-Type | Mis-Type may create a file containing the results of the command cmd.exe /c net user {Username} .15 |
G1009 | Moses Staff | Moses Staff has collected the administrator username from a compromised host.49 |
S0233 | MURKYTOP | MURKYTOP has the capability to retrieve information about users on remote hosts.40 |
S0039 | Net | Commands under net user can be used in Net to gather information about and manipulate user accounts.8 |
G0049 | OilRig | OilRig has run net user , net user /domain , net group “domain admins” /domain , and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.51 |
C0012 | Operation CuckooBees | During Operation CuckooBees, the threat actors used the net user command to gather account information.53 |
S0165 | OSInfo | OSInfo enumerates local and domain users14 |
S0598 | P.A.S. Webshell | P.A.S. Webshell can display the /etc/passwd file on a compromised host.25 |
S0453 | Pony | Pony has used the NetUserEnum function to enumerate local accounts.39 |
G0033 | Poseidon Group | Poseidon Group searches for administrator accounts on both the local victim machine and the network.44 |
S0378 | PoshC2 | PoshC2 can enumerate local and domain user account information.9 |
S0194 | PowerSploit | PowerSploit‘s Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.45 |
S0223 | POWERSTATS | POWERSTATS can retrieve usernames from compromised hosts.22 |
S0196 | PUNCHBUGGY | PUNCHBUGGY can gather user names.16 |
S0192 | Pupy | Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.3 |
S0241 | RATANKBA | RATANKBA uses the net user command.13 |
S0125 | Remsec | Remsec can obtain a list of users.37 |
S0085 | S-Type | S-Type has run the command net user on a victim.15 |
S0063 | SHOTPUT | SHOTPUT has a command to retrieve information about connected users.33 |
S0649 | SMOKEDHAM | SMOKEDHAM has used net.exe user and net.exe users to enumerate local accounts on a compromised host.10 |
S0516 | SoreFang | SoreFang can collect usernames from the local system via net.exe user .35 |
S0603 | Stuxnet | Stuxnet enumerates user accounts of the local host.26 |
G0027 | Threat Group-3390 | Threat Group-3390 has used net user to conduct internal discovery of systems.43 |
S0266 | TrickBot | TrickBot collects the users of the system.1819 |
G0010 | Turla | Turla has used net user to enumerate local accounts on the system.4142 |
S0452 | USBferry | USBferry can use net user to gather information about local accounts.34 |
S0476 | Valak | Valak has the ability to enumerate local admin accounts.27 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1028 | Operating System Configuration | Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators . It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.2 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
DS0036 | Group | Group Enumeration |
DS0009 | Process | OS API Execution |
References
-
Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. ↩
-
UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017. ↩
-
PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. ↩
-
PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020. ↩
-
Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015. ↩
-
Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. ↩
-
FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. ↩
-
Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. ↩
-
Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. ↩
-
Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. ↩
-
Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. ↩↩
-
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. ↩↩
-
Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. ↩
-
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. ↩
-
Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. ↩
-
Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018. ↩
-
Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. ↩
-
Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. ↩
-
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. ↩
-
Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. ↩
-
Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. ↩
-
ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩
-
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. ↩
-
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018. ↩
-
The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. ↩
-
Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. ↩
-
Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. ↩
-
Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016. ↩
-
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. ↩
-
CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. ↩
-
Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. ↩
-
Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. ↩
-
hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. ↩
-
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. ↩
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩
-
Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. ↩
-
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016. ↩
-
FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. ↩
-
Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. ↩
-
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. ↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩
-
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. ↩
-
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. ↩
-
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. ↩
-
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. ↩
-
Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. ↩