πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Search…
πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Introduction
Red Team
Red Team Techniques
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
T1124: System Time Discovery
T1007: System Service Disvcovery
T1033: System Owner/User Directory
T1049: System Network Connections Discovery
T1016: System Network Configuration Discovery
T1082: System Information Discovery
T1518: Software Discovery
T1018: Remote System Discovery
T1012: Query Registry
T1057: Process Discovery
T1069: Permissions Groups Discovery
T1120: Peripheral Device Discovery
T1201: Password Policy Discovery
T1040: Network Sniffing
T1135: Network Share Discovery
T1046: Network Servie Scanning
T1083: File and Directory Discovery
T1486: Domain Trust Discovery
T1217: Browser Bookmark Discovery
T1010: Application Window Discovery
T1087: Account Discovery
Lateral Movement
Active Directory
Active Directory
Active Directory Attacks
Red Team Infrastructure
RED TEAM INFRASTRUCTURE
Domain Name and Categorization
Reconnaissance
Weaponization
Delivery
Situational Awareness
Credential Dumping
Persistence
Defense Evasion
Privilege Escalation
Lateral Movement
Powered By GitBook
T1033: System Owner/User Directory
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.
Example
Will work with the whoami command for Windows and check it's different features
Whoami /user : Display information on the current user and SID
Whoami /fqdn: Displays information on the fully qualified domain name on the user
Whoami /groups: Displays the groups the user is a part of.
Previous
T1007: System Service Disvcovery
Next
T1049: System Network Connections Discovery
Last modified 1yr ago
Copy link