discord

Local Account

Local Account [T1087.001]

Information

  • Name: Local Account

  • ID: T1087.001

  • Tactics: TA0007

  • Technique: T1087

Introduction

Local Account [T1087.001] is a sub-technique under the Account Discovery (T1087) tactic within the MITRE ATT&CK framework. Attackers leverage this technique to enumerate and discover local user accounts on compromised systems. The primary goal is to gather intelligence, identify potential privilege escalation opportunities, and facilitate lateral movement within the targeted environment. Identifying local accounts provides attackers with critical insights into the security posture, account permissions, and user profiles on the compromised host.

Deep Dive Into Technique

Attackers execute this sub-technique by employing various built-in operating system commands, scripts, and third-party tools to enumerate local accounts. Common execution methods include:

  • Windows Operating System:

    • Utilizing built-in commands such as:

      • net user: Lists local user accounts on the host.

      • net localgroup administrators: Lists local administrator accounts.

      • wmic useraccount get: Retrieves detailed user account information.

      • PowerShell commands such as Get-LocalUser and Get-WmiObject Win32_UserAccount.

    • Accessing the Security Account Manager (SAM) database to extract local account details.

    • Leveraging scripts, batch files, or PowerShell scripts to automate enumeration tasks.

  • Linux/Unix Operating Systems:

    • Inspecting /etc/passwd file to enumerate local user accounts.

    • Executing commands such as:

      • cat /etc/passwd: Lists all local users.

      • getent passwd: Retrieves user account information from configured databases.

      • id, who, and w: Display information about currently logged-in users.

    • Enumerating user groups and permissions using commands like groups, cat /etc/group, or getent group.

Attackers often integrate these enumeration methods into automated scripts or malware payloads to streamline the reconnaissance process, enabling them to rapidly identify potential targets for privilege escalation, lateral movement, or persistence.

When this Technique is Usually Used

Attackers typically use this sub-technique during various stages of the cyber attack lifecycle, including:

  • Initial Reconnaissance and Discovery:

    • Immediately after initial access to gather intelligence on the compromised host.

    • Determining available accounts that could be leveraged for persistence or escalation.

  • Privilege Escalation:

    • Identifying local administrator accounts or privileged users to escalate privileges.

    • Discovering dormant or unused local accounts with elevated permissions.

  • Lateral Movement:

    • Enumerating local accounts across different hosts to facilitate lateral movement.

    • Collecting information to exploit trust relationships or shared credentials between systems.

  • Persistence:

    • Identifying rarely monitored or inactive local accounts to establish persistent access.

    • Creating or modifying local accounts to maintain long-term footholds within compromised environments.

How this Technique is Usually Detected

Detection methods for local account enumeration include a combination of proactive monitoring, logging, and security tooling:

  • System and Audit Logs:

    • Monitor Windows Event Logs for suspicious usage of account enumeration commands (net user, wmic, PowerShell commands).

    • Analyze Linux system logs (/var/log/auth.log, /var/log/secure) for unusual commands or access to sensitive files like /etc/passwd.

  • Endpoint Detection and Response (EDR) Tools:

    • Detect execution of enumeration commands or scripts.

    • Identify unusual access patterns to SAM database or sensitive files.

  • Behavioral Monitoring and Analytics:

    • Implement anomaly detection to flag abnormal account enumeration behaviors.

    • Monitor for spikes in enumeration commands or scripts executed by non-administrative accounts.

  • Security Information and Event Management (SIEM) Solutions:

    • Correlate logs and alert on suspicious account discovery activities.

    • Create custom rules to detect enumeration command execution across multiple systems.

  • Indicators of Compromise (IoCs):

    • Unusual command-line arguments or scripts executed to enumerate local accounts.

    • Presence of unauthorized scripts or tools designed specifically for account enumeration.

    • Repeated access or reads of sensitive files such as /etc/passwd or SAM database.

Why it is Important to Detect This Technique

Early detection of local account enumeration is crucial due to its potential impact on security posture, including:

  • Privilege Escalation Risks:

    • Attackers can leverage enumerated accounts to escalate privileges and gain administrative control over compromised systems.

  • Lateral Movement Facilitation:

    • Discovery of local accounts across hosts can enable attackers to pivot and propagate throughout the network.

  • Persistence and Long-term Access:

    • Enumerating local accounts allows attackers to identify or create accounts that facilitate persistent access, complicating incident response and remediation efforts.

  • Data Exfiltration and System Compromise:

    • Attackers can exploit privileged local accounts to access sensitive data, install additional malware, or disrupt critical services.

Early detection enables organizations to respond promptly, minimizing the attacker's ability to escalate privileges, move laterally, or establish persistence. It also reduces potential damage, data loss, and the overall impact of a security incident.

Examples

Real-world examples of attackers leveraging local account enumeration include:

  • APT Groups and State-sponsored Actors:

    • Attackers such as APT29 (Cozy Bear) and APT28 (Fancy Bear) have used enumeration commands (net user, PowerShell scripts) to discover local accounts on compromised Windows hosts, facilitating privilege escalation and lateral movement.

  • Ransomware Operators:

    • Ryuk ransomware operators have been observed enumerating local administrator accounts to escalate privileges, propagate ransomware payloads, and achieve widespread network compromise.

  • Penetration Testing Frameworks and Tools:

    • Tools such as Metasploit, BloodHound, and PowerSploit modules include built-in scripts and modules specifically designed for local account enumeration on Windows and Linux systems.

    • Attackers frequently leverage these publicly available frameworks to automate enumeration tasks during intrusion operations.

  • Credential Theft and Reuse Attacks:

    • Attackers have been observed enumerating local accounts to identify dormant or unused accounts, then performing password spraying or brute force attacks to compromise these accounts and establish persistence.

The impacts of these real-world scenarios include unauthorized access to sensitive data, extensive lateral movement, privilege escalation, persistent footholds within networks, and significant disruptions to business operations.

Last updated

Was this helpful?