Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as
net user and
net localgroup of the Net utility and
groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the
/etc/passwd file. On macOS the
dscl . list /Users command can be used to enumerate local accounts.
|M1028||Operating System Configuration||
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at
|ID||Data Source||Data Component||Detects|
Monitor for execution of commands and arguments associated with enumeration or information gathering of local accounts and groups such as
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor access to file resources that contain local accounts and groups information such as
If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.
|DS0009||Process||OS API Execution||
Monitor for API calls (such as
Monitor for processes that can be used to enumerate user accounts and groups such as