Adversaries may attempt to get a listing of local system or domain accounts.On Linux, local users can be enumerated through the use of the
/etc/passwdfile which is world readable. In mac, this same file is only used in single-user mode in addition to the/etc/master.passwdfile.Also, groups can be enumerated through the
groupsandidcommands.
Atomic Test #1 - Enumerate all accounts
cat /etc/passwd > #{output_file}
Atomic Test #2 - View sudoers access
cat /etc/sudoers > #{output_file}
Atomic Test #3 - View accounts with UID 0
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
lsof $USER
Atomic Test #4 - Show if a user account has ever logger in remotely
lastlog > #{output_file}
Atomic Test #5 - Enumerate users and groups
groups
id
bash_history logs
index=linux sourcetype=bash_history cat /etc/passwd | table host,user_name,bash_command
index=linux sourcetype=bash_history cat /etc/sudoers | table host,user_name,bash_command
index=linux sourcetype=bash_history "lsof -u *" | table host,user_name,bash_command
index=linux sourcetype=bash_history lastlog | table host,user_name,bash_command
index=linux sourcetype=bash_history group OR id | table host,user_name,bash_command
Note: This alerts should be seen in the context and not as isolated as these commands are used often by sys admins for legit operations daily.