System Owner/User Discovery
System Owner/User Discovery [T1033]
Last updated
System Owner/User Discovery [T1033]
Last updated
Name: System Owner/User Discovery
ID: T1033
Tactics:
System Owner/User Discovery is a reconnaissance technique categorized under the MITRE ATT&CK framework as T1033. It involves attackers attempting to identify the current system owner or user account information on compromised hosts. Gathering such information helps attackers understand the context of the compromised system, tailor their subsequent activities, and escalate privileges by targeting specific user accounts or roles. This technique is a key step in the reconnaissance and lateral movement phases, enabling attackers to map out the internal environment and refine their attacks.
System Owner/User Discovery involves various technical methods attackers use to determine the identity of the current user, system owner, or privileged accounts on compromised systems. Attackers leverage built-in operating system commands, scripts, and third-party tools to extract user and owner information.
Common technical execution methods include:
Windows Environments:
Executing built-in commands such as:
whoami to identify the current logged-in user.
query user, qwinsta, or quser to list logged-in users and sessions.
net user and net localgroup administrators to enumerate local user accounts and administrators.
echo %USERNAME% and echo %USERDOMAIN% to display the current user's username and domain.
PowerShell commands like Get-LocalUser, Get-WmiObject -Class Win32_UserAccount, or Get-ADUser for Active Directory environments.
Using WMI queries (wmic useraccount get name,sid) to enumerate user accounts and security identifiers (SIDs).
Inspecting registry entries (e.g., HKEY_USERS) to identify user profiles and recent logins.
Linux/Unix Environments:
Executing commands such as:
whoami to identify the current logged-in user.
id to retrieve detailed user and group membership information.
w, who, and last commands to list currently or previously logged-in users.
Inspecting /etc/passwd, /etc/group, and /etc/shadow files to enumerate system users and groups.
Checking home directories (/home) and ownership of key files and processes.
Running scripts or leveraging tools like LinEnum or Linux Exploit Suggester to automate user enumeration.
Attackers may also leverage third-party scripts or custom malware to automate and streamline user discovery activity, often embedding this reconnaissance into their initial access or lateral movement payloads.
Attackers commonly use System Owner/User Discovery across multiple stages of the cyberattack lifecycle:
Initial Reconnaissance: Immediately after gaining initial access, attackers attempt to understand who is logged into the compromised host to gauge privileges and potential targets.
Privilege Escalation: Attackers identify privileged user accounts to target for credential theft, privilege escalation, or lateral movement.
Lateral Movement: Attackers enumerate users to identify valid accounts they can leverage for lateral movement across the network.
Persistence: Attackers assess user accounts to pick suitable targets for implanting persistent access mechanisms (e.g., via startup scripts or scheduled tasks associated with specific user accounts).
Targeted Attacks: Attackers use user information to perform spear phishing or targeted social engineering attacks against specific users or administrators.
Detection of System Owner/User Discovery relies on monitoring command execution, log analysis, and behavioral anomaly detection. Common detection methods and indicators of compromise (IoCs) include:
Monitoring and Logging:
Enable and analyze command-line logging and process creation events (e.g., Windows Event ID 4688, Sysmon events).
Monitor execution of unusual commands such as whoami, id, net user, quser, qwinsta, or WMI queries.
Monitor PowerShell command executions and scripts that enumerate users and groups.
Endpoint Detection and Response (EDR) Tools:
Utilize EDR solutions to detect anomalous execution of reconnaissance commands and scripts.
Detect suspicious behaviors such as enumeration commands executed from unusual parent processes or locations.
Behavioral Analytics:
Implement behavioral analytics to detect anomalies such as user enumeration commands executed by accounts or hosts that rarely or never perform such actions.
Track frequency and context of enumeration commands to identify deviations from baseline behavior.
Specific Indicators of Compromise (IoCs):
Unusual or unexpected command-line executions:
whoami /all
net user /domain
wmic useraccount get
Get-ADUser
cat /etc/passwd
Execution of known enumeration scripts/tools (e.g., LinEnum, BloodHound, PowerView).
Suspicious access to sensitive files containing user information (/etc/passwd, /etc/shadow, registry hives).
Early detection of System Owner/User Discovery is critical due to the significant security implications involved:
Privilege Escalation Risks: Attackers use user enumeration to identify privileged accounts, potentially escalating privileges and gaining administrative control over critical systems.
Facilitating Lateral Movement: Identifying valid user accounts enables attackers to move laterally across the network, increasing the scope and severity of the compromise.
Targeted Attacks and Social Engineering: Attackers leverage user information for targeted phishing and social engineering, increasing the likelihood of successful credential theft or malware deployment.
Persistence and Long-Term Access: Attackers use user information to implant persistent access mechanisms tied to specific accounts, complicating remediation and incident response efforts.
Data Exfiltration and Compliance Risk: Attackers who successfully escalate privileges can access sensitive data, leading to data breaches, regulatory violations, and reputational damage.
Detecting and responding quickly to System Owner/User Discovery activities can significantly reduce the attacker's dwell time, limit lateral movement, and mitigate overall impact.
Real-world examples illustrating System Owner/User Discovery include:
APT28 (Fancy Bear):
Scenario: APT28 leveraged whoami, net user, and PowerShell commands to enumerate users and administrators on compromised Windows hosts.
Tools Used: Native Windows commands (whoami, net user), PowerShell enumeration scripts.
Impact: Enabled lateral movement and privilege escalation, leading to extensive compromise of sensitive information.
FIN7 Cybercrime Group:
Scenario: FIN7 attackers executed qwinsta, quser, and net localgroup administrators commands to enumerate logged-in users and administrators on point-of-sale (POS) systems.
Tools Used: Built-in Windows utilities and custom PowerShell scripts.
Impact: Facilitated lateral movement and deployment of malware across multiple POS terminals, resulting in large-scale theft of financial data.
Operation Cloud Hopper (APT10):
Scenario: Attackers executed Linux commands (id, whoami, cat /etc/passwd) to enumerate users and groups on compromised Linux servers.
Tools Used: Linux built-in commands and custom enumeration scripts.
Impact: Enabled attackers to escalate privileges, maintain persistence, and conduct extensive espionage activities against managed service providers (MSPs) and their clients.
TrickBot Malware:
Scenario: TrickBot incorporated system enumeration modules capable of running whoami, net user, and WMI queries to identify users and administrators on compromised hosts.
Tools Used: Custom malware modules, Windows built-in utilities.
Impact: Allowed attackers to identify high-value targets and escalate privileges, leading to ransomware deployments (e.g., Ryuk) and significant financial losses.
These examples demonstrate the widespread use of System Owner/User Discovery by threat actors across diverse attack scenarios and highlight the importance of proactive detection and mitigation measures.