===Windows===Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.
===Mac===
On Mac, the currently logged in user can be identified with
users,w, andwho.===Linux===
On Linux, the currently logged in user can be identified with
wandwho.Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Process monitoring, Process command-line parameters
Permissions Required: User, Administrator
Identify System owner or users on an endpoint
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| computer_name | Name of remote computer | strong | computer1 |
cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"${computername}"
quser
qwinsta.exe" /server:${computername}
qwinsta.exe
for /F “tokens=1,2” %i in (‘qwinsta /server:${computername} ^| findstr “Active Disc”‘) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt
@FOR /F %n in (computers.txt) DO @FOR /F “tokens=1,2” %i in (‘qwinsta /server:%n ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt
Identify System owner or users on an endpoint
Supported Platforms: Linux, macOS
users
w
who