This note documents detection patterns related to Linux Account Enumeration on Linux systems.

Direct Indicators

Source	Grep Pattern / Artifact	Meaning	Forensic Value	Notes
Shell history	`cat /etc/passwd`	Full local account enumeration	Critical	Very common first discovery step.
Shell history	`getent passwd`	NSS-aware account enumeration	Critical	Better than passwd-only on domain-integrated systems.
Shell history	`id`	Current identity check	High	Common first foothold command.
Shell history	`whoami`	Current user confirmation	High	Typical first manual operator action.
Shell history	`groups`	Group membership discovery	Critical	Immediate privilege assessment.
Shell history	`sudo -l`	Privilege enumeration	Critical	Very high-value attacker command.
Shell history	`last`	Historical account usage	High	Operator context gathering.
Shell history	`w`	Live logged-in users	High	Lateral target awareness.
Shell history	`who`	Active sessions	High	Operator situational awareness.
Shell history	`finger`	Legacy user discovery	Medium	Rare but useful when present.
Shell history	`ls /home`	User inventory	High	Simple account discovery.
`auditd`	repeated identity commands	Process attribution	Critical	Best attribution if enabled.
`journalctl`	sudo enumeration traces	Runtime clue	High	Useful around privilege attempts.
File timestamps	passwd/group reads near foothold	Timeline anchor	Medium	Context strengthens value.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Enumeration immediately after login	Manual foothold behavior	Critical	Common attacker progression.
`sudo -l` followed by GTFOBins abuse	Privilege escalation chain	Critical	Strong hostile sequence.
`getent passwd` on server with LDAP	Domain-aware reconnaissance	Critical	Higher operator maturity.
`last` plus SSH movement	Target selection	High	Strong lateral planning clue.
Home listing plus key hunting	Credential collection	Critical	Common chain.
Enumeration under service account	Suspicious context	Critical	Often exploitation-driven shell.
Repeated identity checks after sudo	Privilege verification	High	Common escalation flow.
`w` plus SSH to other hosts	Live user targeting	Critical	Lateral intent clue.
Enumeration plus hidden payload staging	Active intrusion	Critical	Strong broader compromise context.
Minimal commands but precise privilege checks	Mature operator behavior	High	Skilled hands-on-keyboard clue.

Common Tools

Tool	Usage
`cat /etc/passwd`	Local user inventory.
`getent passwd`	Full NSS account lookup.
`id`	UID/GID check.
`groups`	Group membership.
`sudo -l`	Sudo rights discovery.
`last`	Historical sessions.
`w` / `who`	Active sessions.

Relevant Artifacts

Artifact	Path / Command	Forensic Value	Notes
Accounts	`/etc/passwd`	Critical	Primary local identity source.
Groups	`/etc/group`	Critical	Privilege context.
Sudo rights	`/etc/sudoers`, `/etc/sudoers.d/`	Critical	Escalation surface.
Session logs	`/var/log/auth.log`, `/var/log/wtmp`	High	Account activity context.
Shell history	`.bash_history`, `.zsh_history`	Critical	Enumeration commands.
Audit logs	`/var/log/audit/audit.log`	Critical	Process attribution.

MITRE ATT&CK References

T1087 Account Discovery
T1087.001 Local Account
T1069 Permission Groups Discovery

Decision Tree

Was account enumeration performed?
- Search shell history and audit logs.
Was privilege checked?
- groups, id, sudo -l.
Were active users reviewed?
- w, who, last.
Did enumeration lead to escalation?
- Sudo abuse, key hunting, SSH movement.
Is enumeration context suspicious?
- Service account, web shell, fresh login.
Pivot
- User list → targets.
- Groups → escalation opportunities.
- Timeline → foothold progression.
Confirm hostile enumeration
- Identity commands + privilege checks + intrusion timing = strong reconnaissance finding.

Example Detection Templates

Grep

grep -R "cat /etc/passwd\|getent passwd\|id\|whoami\|groups\|sudo -l\|last\|w\|who" /home/*/.bash_history /root/.bash_history 2>/dev/null

grep -R "ls /home\|finger" /home/*/.bash_history /root/.bash_history 2>/dev/null

Journalctl

journalctl | grep sudo

File Inspection

stat /etc/passwd

cat /etc/sudoers 2>/dev/null

Sigma

title: Linux Account Enumeration
id: linux-account-enumeration
status: experimental
description: Detects suspicious account and privilege enumeration activity on Linux systems
logsource:
  product: linux
detection:
  selection_keywords:
    message|contains:
      - 'cat /etc/passwd'
      - 'getent passwd'
      - 'sudo -l'
      - 'groups'
  condition: selection_keywords
fields:
  - message
  - hostname
falsepositives:
  - Legitimate administration
level: medium
tags:
  - attack.discovery
  - attack.t1087

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Auditd	Track discovery commands	High	Strong attribution.
Least privilege	Restrict unnecessary sudo rights	Critical	Reduces escalation payoff.
Shell logging	Preserve command history centrally	High	Retains early discovery steps.
Service account control	Limit shell access	High	Reduces abuse context.

Fast Triage Checks

Question	Command / Artifact	Why It Matters
Was passwd read?	grep history	Immediate discovery clue.
Was sudo checked?	grep sudo -l	Escalation intent.
Were active users inspected?	grep w/who/last	Target awareness.
Did enumeration lead to privilege abuse?	correlate next commands	Attack progression.
Was account context suspicious?	user/process context	Signal strength.

High Value Grep Strings

Pattern	Why It Matters
`cat /etc/passwd`	Local account discovery.
`getent passwd`	Full account lookup.
`id`	Identity check.
`groups`	Privilege check.
`sudo -l`	Escalation reconnaissance.
`last`	Session history review.
`w`	Live user discovery.

Analyst Notes

Scenario	Interpretation
`sudo -l` immediately after login	Strong escalation intent.
`getent passwd` on LDAP-integrated host	Domain-aware reconnaissance.
`w` then SSH movement	Live target selection likely.
Enumeration under www-data	Highly suspicious foothold behavior.
Minimal commands but precise checks	Mature operator behavior.
Enumeration followed by key access	Credential path beginning.