# Account Discovery

Account Discovery
Technique
ID T1087
Tactic Discovery
Platform Linux, macOS, Windows
Permissions Required User
Data Sources API monitoring, Process command-line parameters, Process monitoring
CAPEC ID CAPEC-575
Contributors Travis Smith, Tripwire

Adversaries may attempt to get a listing of local system or domain accounts.

## Contents

### Windows

Example commands that can acquire this information are net user, net group <groupname>, and net localgroup <groupname> using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.

### Mac

On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

### Linux

On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

Also, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

## Examples

• APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.1
• BRONZE BUTLER has used net user /domain to identify account information.2
• FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.3
• Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.4
• OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.5
• Poseidon Group searches for administrator accounts on both the local victim machine and the network.6
• Threat Group-3390 has used net user to conduct internal discovery of systems.7
• admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download8
• menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.9
• The discovery modules used with Duqu can collect information on accounts and permissions.10
• Elise executes net user after initial communication is made to the remote server.11
• GeminiDuke collects information on local user accounts from the victim.12
• Mis-Type may create a file containing the results of the command cmd.exe /c net user {Username}.13
• Commands under net user can be used in Net to gather information about and manipulate user accounts.14
• OSInfo enumerates local and domain users 1
• POWRUNER may collect user account information by running net user /domain or a series of other commands on a victim.15
• Remsec can obtain a list of users.16
• S-Type runs the command net user on a victim. S-Type also runs tests to determine the privilege level of the compromised user.13
• SHOTPUT has a command to retrieve information about connected users.17
• Sykipot may use net group "domain admins" /domain to display accounts in the "domain admins" permissions group and net localgroup "administrators" to list local system administrator group membership.18
• dsquery can be used to gather information on user accounts within a domain.19

## Mitigation

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation.20

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting21 tools, like AppLocker,2223 or Software Restriction Policies24 where appropriate.25

## Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.