Adversaries may attempt to get a listing of local system or domain accounts.Example commands that can acquire this information are
net user
,net group
, andnet localgroup
using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.On Mac, groups can be enumerated through the
commands. In mac specifically,dscl . list /Groups
anddscacheutil -q group
can also be used to enumerate groups and users.On Linux, local users can be enumerated through the use of the
file which is world readable. In mac, this same file is only used in single-user mode in addition to the/etc/master.passwd
file.Also, groups can be enumerated through the
Enumerate all accounts by copying /etc/passwd to another file
Supported Platforms: Linux, macOS
Name | Description | Type | Default Value |
output_file | Path where captured results will be placed | Path | ~/loot.txt |
cat /etc/passwd > #{output_file}
(requires root)
Supported Platforms: Linux, macOS
Name | Description | Type | Default Value |
output_file | Path where captured results will be placed | Path | ~/loot.txt |
cat /etc/sudoers > #{output_file}
View accounts wtih UID 0
Supported Platforms: Linux, macOS
Name | Description | Type | Default Value |
output_file | Path where captured results will be placed | Path | ~/loot.txt |
grep 'x:0:' /etc/passwd > #{output_file} - name: List opened files by user
List opened files by user
Supported Platforms: Linux, macOS
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
Show if a user account has ever logger in remotely
Supported Platforms: Linux, macOS
Name | Description | Type | Default Value |
output_file | Path where captured results will be placed | Path | ~/loot.txt |
lastlog > #{output_file}
Utilize groups and id to enumerate users and groups
Supported Platforms: Linux, macOS
Utilize local utilities to enumerate users and groups
Supported Platforms: macOS
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user
Enumerate all accounts
Supported Platforms: Windows
net user
net user /domain
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup
Enumerate all accounts via PowerShell
Supported Platforms: Windows
net user
net user /domain
get-localgroupmembers -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-aduser -filter *
net localgroup
Enumerate logged on users
Supported Platforms: Windows
query user
Enumerate logged on users via PowerShell
Supported Platforms: Windows
query user