# T1033 System Owner/User Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Network Traffic:** Network Traffic Content

  * **Windows Registry:** Windows Registry Key Access

  * **Command:** Command Execution

  * **File:** File Access

  * **Process:** Process Creation

  * **Active Directory:** Active Directory Object Access

  * **Network Traffic:** Network Traffic Flow

  * **Process:** OS API Execution

  * **Process:** Process Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to capture the username on a compromised host in order to register it with C2.(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used tools to identify the user of a compromised host.(Citation: ATT Sidewinder January 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used the <code>quser</code> command to show currently logged on users.(Citation: NCC Group Chimera January 2021) | 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used malware to identify the username on a compromised host.(Citation: BlackBerry Bahamut)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used "whoami" to identify the local user and their privileges.(Citation: Sophos New Ryuk Attack October 2020)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts, gathering username, machine name, and administrative permissions information.(Citation: Talos Frankenstein June 2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) used the WMIEXEC utility to execute <code>whoami</code> commands on remote machines.(Citation: FireEye APT41 Aug 2019)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used <code>whoami</code> and <code>query user</code> to obtain information about the victim user.(Citation: Cybereason Soft Cell June 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) used [Remexi](https://attack.mitre.org/software/S0375) to collect usernames from the system.(Citation: Symantec Chafer Dec 2015)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.(Citation: CISA AA20-239A BeagleBoyz August 2020)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) used <code>letmein</code> to scan for saved usernames on the target system.(Citation: TrendMicro TropicTrooper 2015)| 
| APT19 | [APT19](https://attack.mitre.org/groups/G0073) used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.(Citation: Unit 42 C0d0so0 Jan 2016)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can collect the victim’s username.(Citation: Securelist MuddyWater Oct 2018)(Citation: Trend Micro Muddy Water March 2021)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) identifies the victim username.(Citation: Talos Group123)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware has obtained the victim username and sent it to the C2 server.(Citation: Unit 42 Magic Hound Feb 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) collected the victim's username and executed the <code>whoami</code> command on the victim's machine. [APT32](https://attack.mitre.org/groups/G0050) executed shellcode to collect the username on the victim's machine. (Citation: FireEye APT32 April 2020)(Citation: ESET OceanLotus)(Citation: Cybereason Cobalt Kitty 2017)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has run <code>whoami</code> on a victim.(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Check Point APT34 April 2021)| 
| FIN10 | [FIN10](https://attack.mitre.org/groups/G0051) has used Meterpreter to enumerate users on remote systems.(Citation: FireEye FIN10 June 2017)| 
| Gamaredon Group | A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can gather the victim's username to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) collected the victim username and whether it was running as admin, then sent the information to its C2 server.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)| 
| Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers the registered user and primary owner name via WMI.(Citation: Citizen Lab Stealth Falcon May 2016)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) used the command <code>query user</code> on victim hosts.(Citation: US-CERT TA18-074A)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has collected the username from a compromised host.(Citation: US District Court Indictment GRU Unit 74455 October 2020)| 
| Lazarus Group | Various [Lazarus Group](https://attack.mitre.org/groups/G0032) malware enumerates logged-on users.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: Lazarus APT January 2022)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used `whoami` to collect system user information.(Citation: Trend Micro DRBControl February 2020)| 
| APT3 | An [APT3](https://attack.mitre.org/groups/G0022) downloader uses the Windows command <code>"cmd.exe" /C whoami</code> to verify that it is running with the elevated privileges of “System.”(Citation: FireEye Operation Double Tap)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used implants capable of collecting the signed-in username.(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1033)

  * [Capec](https://capec.mitre.org/data/definitions/577.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla
- Epic collects the user name from the victim’s machine.
- Mosquito runs whoami on the victim’s machine.

#### APT29
- PowerDuke has commands to get the current user's name and SID.

## Detection Blindspots

- Information Here

## Analytical References

  * [Atomic Red Team T1033 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md)
  * [KL Epic Turla Technical Appendix 2018 (kaspersky)](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080105/KL_Epic_Turla_Technical_Appendix_20140806.pdf)
  * [Ultimate Windows Security - Event ID 4798](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4798)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information.

#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather system and network information

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.name : whoami.exe or qwinsta.exe or quser.exe or systeminfo.exe```
  * **Query:** ```process.name : wmic.exe AND process.command_line : *useraccount*```
  * **Query:** ```event.code : 4798 AND winlog.event_data.CallerProcessName : *wmi* or *net* or *powershell*```
  * **Query:** ```process.name : net.exe or net1.exe AND process.command_line : *accounts* or *computer* or *config* or *localgroup*```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

