security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/Windows/Discovery/System_Owner-User_Discovery.md
T

40 lines
784 B
Markdown
Raw Normal View History

Initial Commit
2017-10-11 10:35:17 -07:00
## System Owner/User Discovery
Mac Discovery
2018-01-09 14:53:47 -07:00
MITRE ATT&CK Technique: [T1033](https://attack.mitre.org/wiki/Technique/T1033)
Initial Commit
2017-10-11 10:35:17 -07:00
### cmd.exe
"cmd.exe" /C whoami
### wmic.exe
wmic useraccount get /ALL
### quser
Discovery
2017-10-12 10:35:44 -07:00
Remote:
Initial Commit
2017-10-11 10:35:17 -07:00
quser /SERVER:"<computername>"
Discovery
2017-10-12 10:35:44 -07:00
Local:
quser
Initial Commit
2017-10-11 10:35:17 -07:00
### qwinsta
Discovery
2017-10-12 10:35:44 -07:00
Remote:
Initial Commit
2017-10-11 10:35:17 -07:00
qwinsta.exe" /server:<computername>
Discovery
2017-10-12 10:35:44 -07:00
Local:
qwinsta.exe
Reactor Chain Reaction
2018-01-16 08:59:22 -07:00
Single Endpoint
for /F “tokens=1,2” %i in (qwinsta /server:<COMPUTERNAME> ^| findstr “Active Disc”‘) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt
Multiple Endpoints
@FOR /F %n in (computers.txt) DO @FOR /F “tokens=1,2” %i in (qwinsta /server:%n ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt
Reference in New Issue Copy Permalink