Adversaries may attempt to get a listing of local system or domain accounts.===Windows===
Example commands that can acquire this information are
net user,net group, andnet localgroupusing the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.===Mac===
On Mac, groups can be enumerated through the
groupsandidcommands. In mac specifically,dscl . list /Groupsanddscacheutil -q groupcan also be used to enumerate groups and users.===Linux===
On Linux, local users can be enumerated through the use of the
/etc/passwdfile which is world readable. In mac, this same file is only used in single-user mode in addition to the/etc/master.passwdfile.Also, groups can be enumerated through the
groupsandidcommands. In mac specifically,dscl . list /Groupsanddscacheutil -q groupcan also be used to enumerate groups and users.Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: API monitoring, Process command-line parameters, Process monitoring
Permissions Required: User
Contributors: Travis Smith, Tripwire
xxx
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | ~/loot.txt |
cat /etc/passwd > #{output_file}
xxx (requires root)
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | ~/loot.txt |
cat /etc/sudoers > #{output_file}
xxx
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | ~/loot.txt |
grep 'x:0:' /etc/passwd > #{output_file}
xxx
Supported Platforms: Linux, macOS
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
xxx
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | ~/loot.txt |
lastlog > #{output_file}
utilize local utilities to identify users and groups
Supported Platforms: Linux, macOS
groups
id
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user
List all accounts
Supported Platforms: Windows
net user
net user /domain
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup
List all accounts with PowerShell
Supported Platforms: Windows
net user
net user /domain
get-localuser
get-localgroupmembers -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-aduser -filter *
get-localgroup
net localgroup
List logged on users
Supported Platforms: Windows
query user
List logged on users powershell
Supported Platforms: Windows
query user