System Owner and User Discovery

Windows contains several built-in commands to report the active user. These may be used by an actor to learn privileges levels or determine if a session is active.

id:4d8563cb-f6cb-4758-9255-92479260031f categories:enrich confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Discovery techniques:T1033 System Owner/User Discovery

Query

process where subtype.create and (
  process_name in ("hostname.exe", "whoami.exe", "systeminfo.exe", "quser.exe") or
  process_name == "cmd.exe" and wildcard(command_line, "*echo *%USERNAME%*", "*echo *%USERDOMAIN%*")
)

Contributors

• Endgame