T1087.001SubTechniquediscoveryagent-callable

T1087.001Local Account

Sub-technique of T1087

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.

ATT&CK tactics· 1

Discovery

References

  1. https://attack.mitre.org/techniques/T1087/001
  2. https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1087.001: Local Account | SQUR Knowledge Base