T1033: System Owner/User Directory

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.

Example

Will work with the whoami command for Windows and check it's different features

Whoami /user : Display information on the current user and SID

Whoami /fqdn: Displays information on the fully qualified domain name on the user

Whoami /groups: Displays the groups the user is a part of.

PreviousT1007: System Service Disvcovery NextT1049: System Network Connections Discovery

Last updated 3 years ago