AN0847: Analytic 0847
Enumeration of local users or groups via file access (/etc/passwd) or commands like id, groups.
Analyst context for executives and security teams
This analytic concerns a common Linux discovery behavior: checking local users and groups by reading /etc/passwd or running commands such as id or groups. For leaders, the value is not that every lookup is malicious—many are normal administration—but that this behavior can be an early sign an actor is mapping identity context after gaining access. It matters because local account and group visibility can shape privilege escalation decisions, lateral movement planning, and incident scope assessment.
Executive priority
Prioritize this as a coverage-validation item for Linux estate visibility, SOC triage quality, and incident response readiness. The business question is whether the organization can distinguish routine administrative or application activity from unusual identity enumeration on important Linux systems. This also supports audit and compliance evidence around monitoring of privileged systems, but the supplied ATT&CK object does not provide a specific tactic, mitigation, or detection logic.
Technical view
Validate whether Linux endpoint, process, shell, and file-access telemetry can show access to /etc/passwd and execution of identity/group discovery commands such as id and groups. Because no official detection logic is provided, SOC and detection engineering teams should treat this as a detection design prompt rather than a ready-made rule. Tune around expected baselines for administrators, service accounts, configuration management, login scripts, and monitoring tools, then focus review on unexpected users, unusual parent processes, unusual host roles, or activity occurring near other suspicious events.
Likely telemetry
- Linux process execution events for commands such as id and groups
- Shell command history or session telemetry where available and appropriate
- File access telemetry for /etc/passwd
- User, UID, GID, and group context from Linux audit or endpoint tooling
- Parent process, account, host role, and timestamp context for triage
Detection direction
- Confirm that Linux systems in scope generate and forward process execution telemetry with command-line details where permitted.
- Assess whether file access to /etc/passwd is visible; if not, document that blind spot and rely on process/session context where available.
- Baseline legitimate administrative, automation, and application-driven use of id, groups, and /etc/passwd access to reduce false positives.
- Prioritize alerts when enumeration is performed by unusual accounts, from unexpected parent processes, on sensitive servers, or in proximity to other suspicious activity.
- Do not treat a single /etc/passwd read or id/groups execution as conclusive malicious activity without local context.
Mitigation priorities
- Start with visibility: ensure Linux logging or endpoint controls can capture relevant process and, where feasible, file-access evidence.
- Harden identity and privilege management on Linux systems so local group membership and account exposure do not create unnecessary escalation paths.
- Review administrative automation and service account behavior to establish expected baselines for detection tuning.
- Use incident response playbooks to correlate this behavior with authentication events, privilege changes, remote access, and other host activity before escalating severity.
- Maintain evidence of monitoring scope and known limitations for compliance and control-assurance discussions.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux local user or group enumeration via /etc/passwd access or commands like id and groups. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take focuses on defensive validation and triage considerations rather than a specific ATT&CK technique chain.
This assessment is limited to the official STIX fields, the MITRE external reference, and the absence of relationship context. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local baselines and telemetry availability are required to determine practical alert value.
Analytic 0847
Enumeration of local users or groups via file access (/etc/passwd) or commands like id, groups.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7091123bd99a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0847Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.