EXPLORE

← Back to Explore

T1033

System Owner/User Discovery

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running pr...

LinuxmacOSNetwork DevicesWindows

59

Detections

3

Sources

38

Threat Actors

BY SOURCE

29sigma16elastic14splunk_escu

PROCEDURES (33)

Process Creation Monitoring14 detections

Auto-extracted: 14 detections for process creation monitoring

Script Execution Monitoring3 detections

Auto-extracted: 3 detections for script execution monitoring

Child Process3 detections

Auto-extracted: 3 detections for child process

Privilege3 detections

Auto-extracted: 3 detections for privilege

Powershell2 detections

Auto-extracted: 2 detections for powershell

Script Block2 detections

Auto-extracted: 2 detections for script block

Privilege2 detections

Auto-extracted: 2 detections for privilege

Remote2 detections

Auto-extracted: 2 detections for remote

C22 detections

Auto-extracted: 2 detections for c2

Lateral2 detections

Auto-extracted: 2 detections for lateral

Persist2 detections

Auto-extracted: 2 detections for persist

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Dump1 detections

Auto-extracted: 1 detections for dump

Unusual1 detections

Auto-extracted: 1 detections for unusual

Dump1 detections

Auto-extracted: 1 detections for dump

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Api1 detections

Auto-extracted: 1 detections for api

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Remote1 detections

Auto-extracted: 1 detections for remote

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Api1 detections

Auto-extracted: 1 detections for api

Remote1 detections

Auto-extracted: 1 detections for remote

DETECTIONS (59)

Account Discovery Command via SYSTEM Account

AWS STS GetCallerIdentity API Called for the First Time

Check Elevated CMD using whoami

Chopper Webshell Process Pattern

Cisco Discovery

Computer Discovery And Export Via Get-ADComputer Cmdlet

Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell

Discovery Command Output Written to Suspicious File

Enumerate All Information With Whoami.EXE

Enumeration Command Spawned via WMIPrvSE

ESXi Network Configuration Discovery Via ESXCLI

ESXi Storage Information Discovery Via ESXCLI

ESXi System Information Discovery Via ESXCLI

ESXi VM List Discovery Via ESXCLI

ESXi VSAN Information Discovery Via ESXCLI

Get-ADUser Enumeration Using UserAccountControl Flags

GetCurrent User with PowerShell

GetCurrent User with PowerShell Script Block

Group Membership Reconnaissance Via Whoami.EXE

HackTool - SharpLdapWhoami Execution

HackTool - SharpView Execution

Interactive Privilege Boundary Enumeration Detected via Defend for Containers

Linux Auditd Whoami User Discovery

Local Accounts Discovery

Possible DCSync Attack

Potentially Suspicious Process Started via tmux or screen

PowerShell Suspicious Discovery Related Windows API Functions

Renamed Whoami Execution

Security Privileges Enumeration Via Whoami.EXE

SharpHound Recon Sessions

Sudo Command Enumeration Detected

Suspicious JetBrains TeamCity Child Process

Suspicious MS Office Child Process

Suspicious PDF Reader Child Process

Suspicious PowerShell Get Current User

Suspicious React Server Child Process

Suspicious System Commands Executed by Previously Unknown Executable

System Owner or User Discovery - Linux

System User Discovery With Query

System User Discovery With Whoami

Unusual Linux User Discovery Activity

Unusual User Privilege Enumeration via id

User Discovery And Export Via Get-ADUser Cmdlet

User Discovery And Export Via Get-ADUser Cmdlet - PowerShell

User Discovery With Env Vars PowerShell

User Discovery With Env Vars PowerShell Script Block

Webshell Detection With Command Line Keywords

Webshell Hacking Activity Patterns

WhoAmI as Parameter

Whoami Process Activity

Whoami.EXE Execution Anomaly

Whoami.EXE Execution From Privileged Process

Whoami.EXE Execution With Output Option

Windows Common Abused Cmd Shell Risk Behavior

Windows System Discovery Using ldap Nslookup

Windows System Discovery Using Qwinsta

Windows System Remote Discovery With Query

Windows System User Discovery Via Quser

Windows System User Privilege Discovery