Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
47 lines
1.2 KiB
YAML
47 lines
1.2 KiB
YAML
---
|
|
attack_technique: T1033
|
|
display_name: System Owner/User Discovery
|
|
|
|
atomic_tests:
|
|
- name: System Owner/User Discovery
|
|
description: |
|
|
Identify System owner or users on an endpoint
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
computer_name:
|
|
description: Name of remote computer
|
|
type: string
|
|
default: computer1
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
cmd.exe /C whoami
|
|
wmic useraccount get /ALL
|
|
quser /SERVER:"#{computer_name}"
|
|
quser
|
|
qwinsta.exe" /server:#{computer_name}
|
|
qwinsta.exe
|
|
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
|
|
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
|
|
|
|
- name: System Owner/User Discovery
|
|
description: |
|
|
Identify System owner or users on an endpoint
|
|
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
users
|
|
w
|
|
who
|