T1033: System Owner/User Discovery
| View on MITRE ATT&CK | T1033 |
|---|---|
| Tactic(s) | Discovery |
| Associated CAPEC Patterns | Owner Footprinting (CAPEC-577) |
Data from MITRE ATT&CK®:
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.
On network devices, Network Device CLI commands such as show users and show ssh can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
KAPEKA A novel backdoor spotted in Eastern Europe
This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
This report by the DFIR Report outlines a Trigona Ransomware attack. It describes how the actors went from initial access (by exposed RDP) to data ...
How to detect this technique
MITRE ATT&CK Data Components
Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)File Access (File)
Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Active Directory Object Access (Active Directory)
Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)Windows Registry Key Access (Windows Registry)
Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)OS API Execution (Process)
Operating system function/method calls executed by a processProcess Access (Process)
Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.