Applied Cybernetics Group
T1033 — System Owner/User Discovery
- Technique
T1033- Tactics
- Discovery
- MISP citations
- 0
- KEV CVEs mapped
- 2
- Community rules
- 30
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1033
MITRE description
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information. On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Potential Dridex Activity (emerging-threats)
- Possible DCSync Attack (core)
- SharpHound Recon Sessions (core)
- System Owner or User Discovery - Linux (core)
- ESXi Network Configuration Discovery Via ESXCLI (core)
- ESXi Storage Information Discovery Via ESXCLI (core)
- ESXi System Information Discovery Via ESXCLI (core)
- ESXi VM List Discovery Via ESXCLI (core)
- ESXi VSAN Information Discovery Via ESXCLI (core)
- Cisco Discovery (core)
- Get-ADUser Enumeration Using UserAccountControl Flags (core)
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell (core)
- Suspicious PowerShell Get Current User (core)
- User Discovery And Export Via Get-ADUser Cmdlet - PowerShell (core)
- HackTool - SharpLdapWhoami Execution (core)
- HackTool - SharpView Execution (core)
- Computer Discovery And Export Via Get-ADComputer Cmdlet (core)
- User Discovery And Export Via Get-ADUser Cmdlet (core)
- Renamed Whoami Execution (core)
- Local Accounts Discovery (core)
- WhoAmI as Parameter (core)
- Chopper Webshell Process Pattern (core)
- Webshell Hacking Activity Patterns (core)
- Webshell Detection With Command Line Keywords (core)
- Enumerate All Information With Whoami.EXE (core)
Showing 25 of 30 community rules —
the full set is tagged attack.t1033 in
SigmaHQ.