Applied Cybernetics Group
T1087.001 — Local Account
- Technique
T1087.001- Tactics
- Discovery
- MISP citations
- 0
- KEV CVEs mapped
- 1
- Community rules
- 13
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1087/001
MITRE description
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS, the <code>dscl . list /Users</code> command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Net.EXE Execution (threat-hunting)
- Local System Accounts Discovery - Linux (core)
- Local System Accounts Discovery - MacOs (core)
- Cisco Collect Data (core)
- BloodHound Collection Files (core)
- Malicious PowerShell Commandlets - PoshModule (core)
- Malicious PowerShell Commandlets - ScriptBlock (core)
- HackTool - Bloodhound/Sharphound Execution (core)
- Suspicious Group And Account Reconnaissance Activity Using Net.EXE (core)
- Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet (core)
- Malicious PowerShell Commandlets - ProcessCreation (core)
- Local Accounts Discovery (core)
- Suspicious Use of PsLogList (core)