Account Discovery
Account Discovery | |
---|---|
Technique | |
ID | T1087 |
Tactic | Discovery |
Platform | Linux, macOS, Windows |
Permissions Required | User |
Data Sources | API monitoring, Process command-line parameters, Process monitoring |
CAPEC ID | CAPEC-575 |
Contributors | Travis Smith, Tripwire |
Adversaries may attempt to get a listing of local system or domain accounts.
Windows
Example commands that can acquire this information are net user
, net group <groupname>
, and net localgroup <groupname>
using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.
Mac
On Mac, groups can be enumerated through the groups
and id
commands. In mac specifically, dscl . list /Groups
and dscacheutil -q group
can also be used to enumerate groups and users.
Linux
On Linux, local users can be enumerated through the use of the /etc/passwd
file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd
file.
Also, groups can be enumerated through the groups
and id
commands. In mac specifically, dscl . list /Groups
and dscacheutil -q group
can also be used to enumerate groups and users.
Examples
- APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.1
- BRONZE BUTLER has used
net user /domain
to identify account information.2 - FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.3
- Ke3chang performs account discovery using commands such as
net localgroup administrators
andnet group "REDACTED" /domain
on specific permissions groups.4 - OilRig has run
net user
,net user /domain
,net group “domain admins” /domain
, andnet group “Exchange Trusted Subsystem” /domain
to get account listings on a victim.5 - Poseidon Group searches for administrator accounts on both the local victim machine and the network.6
- Threat Group-3390 has used
net user
to conduct internal discovery of systems.7 - admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts:
net user >> %temp%\download
net user /domain >> %temp%\download
8 - menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.9
- The discovery modules used with Duqu can collect information on accounts and permissions.10
- Elise executes
net user
after initial communication is made to the remote server.11 - GeminiDuke collects information on local user accounts from the victim.12
- MURKYTOP has the capability to retrieve information about users on remote hosts.13
- Mis-Type may create a file containing the results of the command
cmd.exe /c net user {Username}
.14 - Commands under
net user
can be used in Net to gather information about and manipulate user accounts.15 - OSInfo enumerates local and domain users 1
- POWERSTATS can retrieve usernames from compromised hosts.16
- POWRUNER may collect user account information by running
net user /domain
or a series of other commands on a victim.17 - PowerSploit's
Get-ProcessTokenGroup
Privesc-PowerUp module can enumerate all SIDs associated with its current token.1819 - Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc. 20
- Remsec can obtain a list of users.21
- S-Type runs the command
net user
on a victim. S-Type also runs tests to determine the privilege level of the compromised user.14 - SHOTPUT has a command to retrieve information about connected users.22
- Sykipot may use
net group "domain admins" /domain
to display accounts in the "domain admins" permissions group andnet localgroup "administrators"
to list local system administrator group membership.23 - dsquery can be used to gather information on user accounts within a domain.24
Mitigation
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation.25
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting26 tools, like AppLocker,2728 or Software Restriction Policies29 where appropriate.30
Detection
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
References
- a b ↑ Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- ^ ↑ Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- ^ ↑ FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
- ^ ↑ Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- ^ ↑ Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- ^ ↑ Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
- ^ ↑ Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- ^ ↑ FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- ^ ↑ PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- ^ ↑ Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
- ^ ↑ Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- ^ ↑ F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- ^ ↑ FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- a b ↑ Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- ^ ↑ Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
- ^ ↑ Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- ^ ↑ Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- ^ ↑ PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- ^ ↑ PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- ^ ↑ Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- ^ ↑ Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- ^ ↑ Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
- ^ ↑ Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.
- ^ ↑ Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
- ^ ↑ UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.
- ^ ↑ Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- ^ ↑ Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- ^ ↑ NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- ^ ↑ Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- ^ ↑ Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.