Account Discovery via Built-In Tools

Adversaries may use built-in applications to get a listing of local system or domain accounts

id:56fdf859-b2a7-4009-88e0-69fec4c3deef categories:enrich confidence:low os:windows, macos, linux created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Discovery techniques:T1087 Account Discovery

Query

process where subtype.create and (
  process_name == "net.exe" and wildcard(command_line, "* user*", "*localgroup *", "*group *") or
  process_name in ("groups", "id") or
  process_name == "dscl" and command_line == "*list /groups*" or
  process_name == "dscacheutil" and command_line == "*group*" or
  wildcard(command_line, "*/etc/passwd*", "*/etc/master.passwd*")
)

Contributors

• Endgame