T1087.001: Local Account
| View on MITRE ATT&CK | T1087.001 |
|---|---|
| Tactic(s) | Discovery |
Data from MITRE ATT&CK®:
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user and net localgroup of the Net utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Group Enumeration (Group)
An extracted list of available groups and/or their associated settings (ex: AWS list-groups)OS API Execution (Process)
Operating system function/method calls executed by a processFile Access (File)
Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Enumerate logged on users via CMD (Local)
View accounts with UID 0
Enumerate all accounts via PowerShell (Local)
List opened files by user
Enumerate users and groups
Enumerate all accounts on Windows (Local)
Show if a user account has ever logged in remotely
Enumerate users and groups
Enumerate all accounts (Local)
View sudoers access
Sigma Detections for this Technique
Local Accounts Discovery
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
Suspicious Use of PsLogList
Cisco Collect Data
Local System Accounts Discovery - MacOs
Malicious PowerShell Commandlets - ProcessCreation
Malicious PowerShell Commandlets - PoshModule
Local System Accounts Discovery - Linux
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
HackTool - Bloodhound/Sharphound Execution
BloodHound Collection Files
Malicious PowerShell Commandlets - ScriptBlock
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.