Account Discovery

Adversaries may attempt to get a listing of local system or domain accounts.

Windows

Example commands that can acquire this information are net user, net group , and net localgroup using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.

Mac

On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

Linux

On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

Also, groups can be enumerated through the groups and id commands.

Office 365 and Azure AD

With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.[1][2]

Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.[3][4]

The Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.[5][6]

ID: T1087
Tactic: Discovery
Platform: Linux, macOS, Windows, Office 365, Azure AD
Permissions Required: User
Data Sources: Azure activity logs, Office 365 account logs, API monitoring, Process monitoring, Process command-line parameters
CAPEC ID: CAPEC-575
Contributors: Microsoft Threat Intelligence Center (MSTIC); Travis Smith, Tripwire
Version: 2.0

Procedure Examples

Name Description
admin@338

admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download[40]

Agent Tesla

Agent Tesla collects account information from the victim’s machine.[28]

APT1

APT1 used the commands net localgroup,net user, and net group to find accounts on the system.[46]

APT3

APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.[21]

APT32

APT32 enumerated administrative users and DC servers using the commands net localgroup administrators and net group "Domain Controllers" /domain.[43]

Bankshot

Bankshot gathers domain and account names/information through process monitoring.[29]

BRONZE BUTLER

BRONZE BUTLER has used net user /domain to identify account information.[44]

Carbon

Carbon runs the net group command to list accounts on the system.[18]

Comnie

Comnie uses the net user command.[32]

Dragonfly 2.0

Dragonfly 2.0 used batch scripts to enumerate users in the victim environment.[47]

dsquery

dsquery can be used to gather information on user accounts within a domain.[12]

Duqu

The discovery modules used with Duqu can collect information on accounts and permissions.[15]

Elise

Elise executes net user after initial communication is made to the remote server.[35]

Empire

Empire can acquire local and domain user account information.[13]

Epic

Epic gathers a list of all user accounts, privilege classes, and time of last logon.[26]

FIN6

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[38]

GeminiDuke

GeminiDuke collects information on local user accounts from the victim.[31]

InvisiMole

InvisiMole has a command to list account information on the victim’s machine.[22]

Kazuar

Kazuar gathers information on local groups and members on the victim’s machine.[19]

Ke3chang

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[41]

Kwampirs

Kwampirs collects a list of accounts with the command net users.[24]

MailSniper

MailSniper can be used to obtain account names from Exchange and Office 365 using the Get-GlobalAddressList cmdlet.[6]

menuPass

menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.[42]

Mis-Type

Mis-Type may create a file containing the results of the command cmd.exe /c net user {{Username}}.[16]

MURKYTOP

MURKYTOP has the capability to retrieve information about users on remote hosts.[20]

Net

Commands under net user can be used in Net to gather information about and manipulate user accounts.[8]

OilRig

OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim.[45]

OSInfo

OSInfo enumerates local and domain users[21]

Poseidon Group

Poseidon Group searches for administrator accounts on both the local victim machine and the network.[48]

PoshC2

PoshC2 can enumerate local and domain user account information.[14]

PowerSploit

PowerSploit's Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.[9][10]

POWERSTATS

POWERSTATS can retrieve usernames from compromised hosts.[25]

POWRUNER

POWRUNER may collect user account information by running net user /domain or a series of other commands on a victim.[17]

PUNCHBUGGY

PUNCHBUGGY can gather user names.[37]

Pupy

Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.[11]

RATANKBA

RATANKBA uses the net user command.[27]

Remsec

Remsec can obtain a list of users.[36]

S-Type

S-Type runs the command net user on a victim. S-Type also runs tests to determine the privilege level of the compromised user.[16]

SHOTPUT

SHOTPUT has a command to retrieve information about connected users.[23]

Sykipot

Sykipot may use net group "domain admins" /domain to display accounts in the "domain admins" permissions group and net localgroup "administrators" to list local system administrator group membership.[30]

Threat Group-3390

Threat Group-3390 has used net user to conduct internal discovery of systems.[39]

TrickBot

TrickBot collects the users of the system.[33][34]

Mitigations

Mitigation Description
Operating System Configuration

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation.[7]

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
  2. Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.
  3. Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
  4. Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.
  5. Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6, 2019.
  6. Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper. Retrieved October 6, 2019.
  7. UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.
  8. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  9. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  10. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  11. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  12. Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
  13. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  14. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  15. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  16. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  17. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  18. GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.
  19. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  20. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  21. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  22. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  23. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  24. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  1. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  2. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  3. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  4. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  5. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  6. Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.
  7. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  8. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  9. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  10. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  11. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  12. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  13. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  14. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  15. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  16. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  17. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  18. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  19. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  20. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  21. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  22. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  23. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  24. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.