- Tactics
- Discovery
- Platforms
- ESXi, Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1087.001
Description
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user and net localgroup of the Net utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS, the dscl . list /Users command can be used to enumerate local accounts. On ESXi servers, the esxcli system account list command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Discovery tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1007 — System Service Discovery
- T1010 — Application Window Discovery
- T1012 — Query Registry
- T1016 — System Network Configuration Discovery
- T1018 — Remote System Discovery
- T1033 — System Owner/User Discovery
- T1040 — Network Sniffing
- T1046 — Network Service Discovery
- T1049 — System Network Connections Discovery
- T1057 — Process Discovery
- T1069 — Permission Groups Discovery
- T1082 — System Information Discovery