T1033 System Owner/User Discovery

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.

On network devices, Network Device CLI commands such as show users and show ssh can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)

View in MITRE ATT&CK®

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability secondary_impact T1033 System Owner/User Discovery
Comments
CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.
References
CVE-2023-22518 Atlassian Confluence Data Center and Server Improper Authorization Vulnerability primary_impact T1033 System Owner/User Discovery
Comments
CVE-2023-22518 is an improper authorization vulnerability. Adversaries have been seen using HTTP POST requests to upload maliciously-crafted zip files to Confluence WebServers to exploit this vulnerability. After exploitation, adversaries were observed doing local system information discovery, downloading malicious payloads,
References

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1033 System Owner/User Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1033 System Owner/User Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1033 System Owner/User Discovery

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1033 System Owner/User Discovery
Comments
Google Security Operations is able to trigger an alert based off command-line arguments that could indicate adversary's attempting to get information about system users (e.g., primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_owner_user_discovery__sysmon_windows_logs.yaral
References