Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user and net localgroup of the Net utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS, the dscl . list /Users command can be used to enumerate local accounts. On ESXi servers, the esxcli system account list command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) | Attack Pattern | Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) | Attack Pattern | 1 |