Penetration testing

Explore Python for MITRE ATT&CK account and directory discovery

Howard Poston
August 25, 2021 by
Howard Poston

The MITRE ATT&CK framework breaks the lifecycle of a cyberattack into a series of tactics or goals that the attacker may need to achieve. For each of these goals, several different techniques are outlined for achieving them.

An attacker with access to a target environment needs information about that environment to achieve their end goals. In many cases, this information is only available once they are inside the environment because firewalls and other defenses limit the information accessible from the outside. For this reason, an attacker may need to perform discovery to collect the intelligence needed to plan the remainder of their campaign.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Introduction to account discovery

Digital systems use the concept of accounts to manage identities and access. Any user of a system and the applications that run on it have accounts associated with them that describe their access and privileges on the system.

Information about these accounts can be invaluable to an attacker. Account information can help to determine the accounts that have the access and privileges needed to achieve the next step of the attack or which accounts might be worth compromising as a persistence mechanism.

User account discovery

Both Windows and *nix operating systems assign accounts to each of their users. While these operating systems manage the privileges associated with these accounts in different ways, the underlying concepts are the same.

The discovery of the user accounts associated with a particular system is a useful step for an attacker. For example, identifying an administrator account on a Windows computer may help the attacker to decide which account to try to compromise next.

User account discovery with Python

Windows Management Instrumentation (WMI) is an interface for interacting with the Windows operating system. These scripts are available in Python via the wmi library.

The script above (available on Github) demonstrates the use of WMI in Python to collect information about user accounts on a system. It iterates through the list of user accounts on the system and prints out information about these accounts, such as if they are active, if they have administrator access, whether they are local or domain accounts and password information.

The script also uses the system function to run the Windows net command-line utility. This utility — with the accounts flag — provides information about the system’s password policy. This password policy information can be valuable for planning a password guessing attack on the system.

Introduction to file and directory discovery

User accounts aren’t the only source of valuable information on a target system. A compromised machine may also contain a great deal of sensitive information in various files and folders.

File and directory discovery

Automatically searching for files and folders of interest on a computer can help an attacker to plan the next stage of their attack. For example, the discovery of personally identifiable information (PII) in some folders may lead to data theft. Alternatively, information about other systems on the network may help an attacker to plan the next stage of their campaign.

File and directory discovery with Python

Python can be used to access the file system, and with the use of regular expressions, can check to see if certain files contain data of interest.

The code sample above (available here) demonstrates the use of Python to look for certain types of PII within a particular directory. To do so, the code uses regular expressions designed to match email addresses, phone numbers and Social Security Numbers (SSNs). While these are highly standardized types of data (making them easy to search for), it’s also possible to search for other types of data using context, keywords and ways.

This particular script looks only at text files and Microsoft Office files. For text files, the code reads in the contents of the file and applies the regex. Since Word documents are zip files, the code extracts their contents, reads in the text (stored in an XML file) and then searches for matches to the regex.

In this case, the Python code is used to identify and steal the data contained within these files. However, similar code could be used for other purposes, such as to target ransomware attacks to ensure that they only encrypt high-value files.

Using Python for account and directory discovery

Once inside a target system, an attacker needs to perform discovery to learn about the environment. Data about user accounts and the sensitive information contained within files on the system can be valuable to an attacker, and Python can be used to collect this information.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at