Penetration testing

Explore Python for MITRE ATT&CK account and directory discovery

Howard Poston
August 25, 2021 by
Howard Poston

The MITRE ATT&CK framework breaks the lifecycle of a cyberattack into a series of tactics or goals that the attacker may need to achieve. For each of these goals, several different techniques are outlined for achieving them.

An attacker with access to a target environment needs information about that environment to achieve their end goals. In many cases, this information is only available once they are inside the environment because firewalls and other defenses limit the information accessible from the outside. For this reason, an attacker may need to perform discovery to collect the intelligence needed to plan the remainder of their campaign.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Introduction to account discovery

Digital systems use the concept of accounts to manage identities and access. Any user of a system and the applications that run on it have accounts associated with them that describe their access and privileges on the system.

Information about these accounts can be invaluable to an attacker. Account information can help to determine the accounts that have the access and privileges needed to achieve the next step of the attack or which accounts might be worth compromising as a persistence mechanism.

User account discovery

Both Windows and *nix operating systems assign accounts to each of their users. While these operating systems manage the privileges associated with these accounts in different ways, the underlying concepts are the same.

The discovery of the user accounts associated with a particular system is a useful step for an attacker. For example, identifying an administrator account on a Windows computer may help the attacker to decide which account to try to compromise next.

User account discovery with Python

Windows Management Instrumentation (WMI) is an interface for interacting with the Windows operating system. These scripts are available in Python via the wmi library.

The script above (available on Github) demonstrates the use of WMI in Python to collect information about user accounts on a system. It iterates through the list of user accounts on the system and prints out information about these accounts, such as if they are active, if they have administrator access, whether they are local or domain accounts and password information.

The script also uses the system function to run the Windows net command-line utility. This utility — with the accounts flag — provides information about the system’s password policy. This password policy information can be valuable for planning a password guessing attack on the system.

Introduction to file and directory discovery

User accounts aren’t the only source of valuable information on a target system. A compromised machine may also contain a great deal of sensitive information in various files and folders.

File and directory discovery

Automatically searching for files and folders of interest on a computer can help an attacker to plan the next stage of their attack. For example, the discovery of personally identifiable information (PII) in some folders may lead to data theft. Alternatively, information about other systems on the network may help an attacker to plan the next stage of their campaign.

File and directory discovery with Python

Python can be used to access the file system, and with the use of regular expressions, can check to see if certain files contain data of interest.

The code sample above (available here) demonstrates the use of Python to look for certain types of PII within a particular directory. To do so, the code uses regular expressions designed to match email addresses, phone numbers and Social Security Numbers (SSNs). While these are highly standardized types of data (making them easy to search for), it’s also possible to search for other types of data using context, keywords and ways.

This particular script looks only at text files and Microsoft Office files. For text files, the code reads in the contents of the file and applies the regex. Since Word documents are zip files, the code extracts their contents, reads in the text (stored in an XML file) and then searches for matches to the regex.

In this case, the Python code is used to identify and steal the data contained within these files. However, similar code could be used for other purposes, such as to target ransomware attacks to ensure that they only encrypt high-value files.

Using Python for account and directory discovery

Once inside a target system, an attacker needs to perform discovery to learn about the environment. Data about user accounts and the sensitive information contained within files on the system can be valuable to an attacker, and Python can be used to collect this information.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Howard Poston
Howard Poston

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.