Find sigma rule
Attack: Account Discovery: Local Account
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user
and net localgroup
of the Net utility and id
and groups
on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd
file. On macOS the dscl . list /Users
command can be used to enumerate local accounts.
MITRE
Tactic
- discovery
technique
- T1087.001
Test : Show if a user account has ever logged in remotely
OS
- linux
Description:
Show if a user account has ever logged in remotely
Executor
sh