EXPLORE

← Back to Explore

T1087.001

Local Account

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, l...

ESXiLinuxmacOSWindows

32

Detections

3

Sources

18

Threat Actors

BY SOURCE

14splunk_escu12sigma6elastic

PROCEDURES (23)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Lateral3 detections

Auto-extracted: 3 detections for lateral

Powershell2 detections

Auto-extracted: 2 detections for powershell

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Wmi2 detections

Auto-extracted: 2 detections for wmi

Script Block2 detections

Auto-extracted: 2 detections for script block

Script Block1 detections

Auto-extracted: 1 detections for script block

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lateral1 detections

Auto-extracted: 1 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dump1 detections

Auto-extracted: 1 detections for dump

Privilege1 detections

Auto-extracted: 1 detections for privilege

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Azure1 detections

Auto-extracted: 1 detections for azure

Azure1 detections

Auto-extracted: 1 detections for azure

Lateral1 detections

Auto-extracted: 1 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Powershell1 detections

Auto-extracted: 1 detections for powershell

THREAT ACTORS (18)

admin@338 APT1 APT3 APT32 APT41 APT42 Chimera Fox Kitten Ke3chang Lotus Blossom Medusa Group Moses Staff OilRig Poseidon Group RedCurl Threat Group-3390 Turla Volt Typhoon

DETECTIONS (32)

BloodHound Collection Files

Cisco Collect Data

Detect AzureHound Command-Line Arguments

Detect AzureHound File Modifications

Detect SharpHound Command-Line Arguments

Detect SharpHound File Modifications

Detect SharpHound Usage

Enumeration of Administrator Accounts

Enumeration of Users or Groups via Built-in Commands

GetLocalUser with PowerShell

GetLocalUser with PowerShell Script Block

GetWmiObject User Account with PowerShell

GetWmiObject User Account with PowerShell Script Block

HackTool - Bloodhound/Sharphound Execution

Local Account Discovery With Wmic

Local Accounts Discovery

Local System Accounts Discovery - Linux

Local System Accounts Discovery - MacOs

Malicious PowerShell Commandlets - PoshModule

Malicious PowerShell Commandlets - ProcessCreation

Malicious PowerShell Commandlets - ScriptBlock

Mounting Hidden or WebDav Remote Shares

Network Traffic to Active Directory Web Services Protocol

Potential Meterpreter Reverse Shell

PowerShell Suspicious Discovery Related Windows API Functions

Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet

Suspicious Use of PsLogList

Unusual User Privilege Enumeration via id

Windows Account Discovery for None Disable User Account

Windows SOAPHound Binary Execution

Windows User Discovery Via Net