Adversaries may attempt to get a listing of local system or domain accounts.Example commands that can acquire this information are
net user,net group, andnet localgroupusing the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.On Mac, groups can be enumerated through the
groupsandidcommands. In mac specifically,dscl . list /Groupsanddscacheutil -q groupcan also be used to enumerate groups and users.On Linux, local users can be enumerated through the use of the
/etc/passwdfile which is world readable. In mac, this same file is only used in single-user mode in addition to the/etc/master.passwdfile.Also, groups can be enumerated through the
groupsandidcommands.With authenticated access there are several tools that can be used to find accounts. The
Get-MsolRoleMemberPowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command
az ad user listwill list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)The
Get-GlobalAddressListPowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
Enumerate all accounts by copying /etc/passwd to another file
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | ~/loot.txt |
cat /etc/passwd > #{output_file}
(requires root)
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | ~/loot.txt |
cat /etc/sudoers > #{output_file}
View accounts wtih UID 0
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | ~/loot.txt |
grep 'x:0:' /etc/passwd > #{output_file}
List opened files by user
Supported Platforms: Linux, macOS
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
Show if a user account has ever logged in remotely
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | ~/loot.txt |
lastlog > #{output_file}
Utilize groups and id to enumerate users and groups
Supported Platforms: Linux, macOS
groups
id
Utilize local utilities to enumerate users and groups
Supported Platforms: macOS
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user
Enumerate all accounts
Supported Platforms: Windows
net user
net user /domain
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup
Enumerate all accounts via PowerShell
Supported Platforms: Windows
net user
net user /domain
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-aduser -filter *
get-localgroup
net localgroup
Enumerate logged on users
Supported Platforms: Windows
query user
Enumerate logged on users via PowerShell
Supported Platforms: Windows
query user