# T1087.001 Local Account

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

Monitor for processes that can be used to enumerate user accounts, such as <code>net.exe</code> and <code>net1.exe</code>, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Process:** Process Creation

  * **File:** File Access

  * **Command:** Command Execution

  * **Process:** OS API Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has accessed ntuser.dat and UserClass.dat on compromised hosts.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>net user</code> for account discovery.(Citation: NCC Group Chimera January 2021)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) enumerated administrative users using the commands <code>net localgroup administrators</code>.(Citation: Cybereason Cobalt Kitty 2017)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has run <code>net user</code>, <code>net user /domain</code>, <code>net group “domain admins” /domain</code>, and <code>net group “Exchange Trusted Subsystem” /domain</code> to get account listings on a victim.(Citation: Palo Alto OilRig May 2016)| 
| Poseidon Group | [Poseidon Group](https://attack.mitre.org/groups/G0033) searches for administrator accounts on both the local victim machine and the network.(Citation: Kaspersky Poseidon Group)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used <code>net user</code> to conduct internal discovery of systems.(Citation: SecureWorks BRONZE UNION June 2017)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has used a tool that can obtain info about local and global group users, power users, and administrators.(Citation: Symantec Buckeye)| 
| admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following commands following exploitation of a machine with [LOWBALL](https://attack.mitre.org/software/S0042) malware to enumerate user accounts: <code>net user >> %temp%\download</code> <code>net user /domain >> %temp%\download</code>(Citation: FireEye admin@338)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>net user</code> to enumerate local accounts on the system.(Citation: ESET ComRAT May 2020)(Citation: ESET Crutch December 2020)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) used the commands <code>net localgroup</code>,<code>net user</code>, and <code>net group</code> to find accounts on the system.(Citation: Mandiant APT1)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs account discovery using commands such as <code>net localgroup administrators</code> and <code>net group "REDACTED" /domain</code> on specific permissions groups.(Citation: Mandiant Operation Ke3chang November 2014)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1087/001)

  * [Elastic - Koadiac Detection With Eql](https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql), Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla 
- will attempt to discover local accounts via cmd.exe or any other means. (i.e. net user)

## Detection Blindspots

- Information Here

## Analytical References

  * [ESET Turla ComRAT](https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf)
  * [StigViewer Windows_Server_2012 ](https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- This metric by itself is hard to decide weather the logins are malicious or not. Knowing when and where people are attempting to log into the network from is a great way to find any suspicious activity. If you know no local accounts should be used, someone logging into one is suspicious. 

#### Analytic 1

  * **Information:** Check logs to see if user accounts have been enumerated.

  * **Source:** Windows Audits

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_ID:4798```

#### Analytic 2

  * **Information:** Check to see if the net use command has been used

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_ID:1 AND command.line:"*net user*"```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

