T1033: System Owner/User Directory
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.
Example
Will work with the whoami command for Windows and check it's different features
Whoami /user : Display information on the current user and SID
Whoami /fqdn: Displays information on the fully qualified domain name on the user
Whoami /groups: Displays the groups the user is a part of.
Copy link