Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Local Account
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Local Account
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Account Discovery:  Local Account

ID Name
.001 Local Account
.002 Domain Account
.003 Email Account
.004 Cloud Account

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as net user and net localgroup of the Net utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS, the dscl . list /Users command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)

ID: T1087.001
Sub-technique of:  T1087
Tactic(s): Discovery
Platforms: ESXi, Linux, Windows, macOS
Data Sources: Command: Command Execution, File: File Access, Group: Group Enumeration, Process: OS API Execution, Process: Process Creation
Version: 1.5
Created: 21 Feb 2020
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
TrickBot

TrickBot collects the users of the system.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Trickbot Nov 2018)
Pikabot

Pikabot will retrieve the name of the user associated with the thread under which the malware is executing.(Citation: Elastic Pikabot 2024)
Net

Commands under net user can be used in Net to gather information about and manipulate user accounts.(Citation: Savill 1999)
MURKYTOP

MURKYTOP has the capability to retrieve information about users on remote hosts.(Citation: FireEye Periscope March 2018)
BloodHound

BloodHound can identify users with local administrator rights.(Citation: CrowdStrike BloodHound April 2018)
Stuxnet

Stuxnet enumerates user accounts of the local host.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
PowerSploit

PowerSploit's Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)
GeminiDuke

GeminiDuke collects information on local user accounts from the victim.(Citation: F-Secure The Dukes)
Bankshot

Bankshot gathers domain and account names/information through process monitoring.(Citation: McAfee Bankshot)
Pony

Pony has used the NetUserEnum function to enumerate local accounts.(Citation: Malwarebytes Pony April 2016)

HyperStack

HyperStack can enumerate all account names on a remote share.(Citation: Accenture HyperStack October 2020)
DUSTTRAP

DUSTTRAP can enumerate local user accounts.(Citation: Google Cloud APT41 2024)
Empire

Empire can acquire local and domain user account information.(Citation: Github PowerShell Empire)
InvisiMole

InvisiMole has a command to list account information on the victim’s machine.(Citation: ESET InvisiMole June 2018)
P.A.S. Webshell

P.A.S. Webshell can display the /etc/passwd file on a compromised host.(Citation: ANSSI Sandworm January 2021)
PoshC2

PoshC2 can enumerate local and domain user account information.(Citation: GitHub PoshC2)
Kazuar

Kazuar gathers information on local groups and members on the victim’s machine.(Citation: Unit 42 Kazuar May 2017)
SHOTPUT

SHOTPUT has a command to retrieve information about connected users.(Citation: Palo Alto CVE-2015-3113 July 2015)
PUNCHBUGGY

PUNCHBUGGY can gather user names.(Citation: Morphisec ShellTea June 2019)
S-Type

S-Type has run the command `net user` on a victim.(Citation: Cylance Dust Storm)
Duqu

The discovery modules used with Duqu can collect information on accounts and permissions.(Citation: Symantec W32.Duqu)
Remsec

Remsec can obtain a list of users.(Citation: Kaspersky ProjectSauron Technical Analysis)
Epic

Epic gathers a list of all user accounts, privilege classes, and time of last logon.(Citation: Kaspersky Turla Aug 2014)
Agent Tesla

Agent Tesla can collect account information from the victim’s machine.(Citation: DigiTrust Agent Tesla Jan 2017)
Elise

Elise executes net user after initial communication is made to the remote server.(Citation: Lotus Blossom Jun 2015)
USBferry

USBferry can use net user to gather information about local accounts.(Citation: TrendMicro Tropic Trooper May 2020)

SMOKEDHAM

SMOKEDHAM has used net.exe user and net.exe users to enumerate local accounts on a compromised host.(Citation: FireEye SMOKEDHAM June 2021)
Bazar

Bazar can identify administrator accounts on an infected host.(Citation: NCC Group Team9 June 2020)
RATANKBA

RATANKBA uses the net user command.(Citation: RATANKBA)
MgBot

MgBot includes modules for identifying local administrator accounts on victim systems.(Citation: Symantec Daggerfly 2023)
Valak

Valak has the ability to enumerate local admin accounts.(Citation: Cybereason Valak May 2020)
Milan

Milan has run `C:\Windows\system32\cmd.exe /c cmd /c dir c:\users\ /s 2>&1` to discover local accounts.(Citation: ClearSky Siamesekitten August 2021)
Raccoon Stealer

Raccoon Stealer checks the privileges of running processes to determine if the running user is equivalent to `NT Authority\System`.(Citation: Sekoia Raccoon2 2022)
Kwampirs

Kwampirs collects a list of accounts with the command net users.(Citation: Symantec Orangeworm April 2018)
Pupy

Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.(Citation: GitHub Pupy)
POWERSTATS

POWERSTATS can retrieve usernames from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)
Mis-Type

Mis-Type may create a file containing the results of the command cmd.exe /c net user {Username}.(Citation: Cylance Dust Storm)
SoreFang

SoreFang can collect usernames from the local system via net.exe user.(Citation: CISA SoreFang July 2016)
Comnie

Comnie uses the net user command.(Citation: Palo Alto Comnie)
OSInfo

OSInfo enumerates local and domain users(Citation: Symantec Buckeye)
BitPaymer

BitPaymer can enumerate the sessions for each user logged onto the infected host.(Citation: Crowdstrike Indrik November 2018)
Turla

Turla has used net user to enumerate local accounts on the system.(Citation: ESET ComRAT May 2020)(Citation: ESET Crutch December 2020)
Fox Kitten

Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
APT1

APT1 used the commands net localgroup,net user, and net group to find accounts on the system.(Citation: Mandiant APT1)
Poseidon Group

Poseidon Group searches for administrator accounts on both the local victim machine and the network.(Citation: Kaspersky Poseidon Group)
Threat Group-3390

Threat Group-3390 has used net user to conduct internal discovery of systems.(Citation: SecureWorks BRONZE UNION June 2017)
APT32

APT32 enumerated administrative users using the commands net localgroup administrators.(Citation: Cybereason Cobalt Kitty 2017)
Moses Staff

Moses Staff has collected the administrator username from a compromised host.(Citation: Checkpoint MosesStaff Nov 2021)
OilRig

OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.(Citation: Palo Alto OilRig May 2016)
Chimera

Chimera has used net user for account discovery.(Citation: NCC Group Chimera January 2021)
Volt Typhoon

Volt Typhoon has executed `net user` and `quser` to enumerate local account information.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
Ke3chang

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.(Citation: Mandiant Operation Ke3chang November 2014)
RedCurl

RedCurl has collected information about local accounts.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)
APT42

APT42 has used the PowerShell-based POWERPOST script to collect local account names from the victim machine.(Citation: Mandiant APT42-charms)

APT3

APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.(Citation: Symantec Buckeye)
Lotus Blossom

Lotus Blossom has used commands such as `net` to profile local system users.(Citation: Cisco LotusBlossom 2025)
APT41

APT41 used built-in net commands to enumerate local administrator groups.(Citation: Rostovcev APT41 2021)
admin@338

admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download(Citation: FireEye admin@338)

Mitigations
Mitigation Description
Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures: Disable Unused Features: - Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services. Enforce OS-level Protections: - Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls. Secure Access Settings: - Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files. File System Hardening: - Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS). Secure Remote Access: - Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies. Harden Boot Configurations: - Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives. Regular Audits: - Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools. *Tools for Implementation* Windows: - Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks. Linux/macOS: - AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol. Cross-Platform: - Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Monitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)

References

  1. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  2. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
  3. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  4. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  5. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  6. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  7. UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.
  8. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  9. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  10. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  11. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  12. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  13. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  14. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  15. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  16. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  17. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  18. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  19. Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.
  20. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  21. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  22. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  23. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  24. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  25. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  26. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  27. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  28. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  29. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  30. MacKenzie, D. and Youngman, J. (n.d.). groups(1) - Linux man page. Retrieved January 11, 2024.
  31. MacKenzie, D. and Robbins, A. (n.d.). id(1) - Linux man page. Retrieved January 11, 2024.
  32. Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
  33. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  34. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  35. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  36. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  37. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  38. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  39. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  40. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  41. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  42. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  43. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  44. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  45. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  46. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  47. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  48. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  49. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  50. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  51. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  52. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  53. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  54. Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
  55. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  56. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  57. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  58. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  59. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  60. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  61. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  62. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  63. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  64. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  65. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  66. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.