Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Various utilities and commands may acquire this information, including whoami
. In macOS and Linux, the currently logged in user can be identified with w
and who
. On macOS the dscl . list /Users | grep -v '_'
command can also be used to enumerate user accounts. Environment variables, such as %USERNAME%
and $USER
, may also be used to access this information.
On network devices, Network Device CLI commands such as show users
and show ssh
can be used to display users currently logged into the device.[1][2]
ID | Name | Description |
---|---|---|
S1028 | Action RAT |
Action RAT has the ability to collect the username from an infected host.[3] |
S0331 | Agent Tesla |
Agent Tesla can collect the username from the victim’s machine.[4][5][6] |
S0092 | Agent.btz |
Agent.btz obtains the victim username and saves it to a file.[7] |
S1025 | Amadey |
Amadey has collected the user name from a compromised host using |
G0073 | APT19 |
APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.[9] |
G0022 | APT3 |
An APT3 downloader uses the Windows command |
G0050 | APT32 |
APT32 collected the victim's username and executed the |
G0067 | APT37 | |
G0082 | APT38 |
APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.[15] |
G0087 | APT39 | |
G0096 | APT41 |
APT41 used the WMIEXEC utility to execute |
S0456 | Aria-body |
Aria-body has the ability to identify the username on a compromised host.[18] |
S1087 | AsyncRAT |
AsyncRAT can check if the current user of a compromised system is an administrator. [19] |
S1029 | AuTo Stealer |
AuTo Stealer has the ability to collect the username from an infected host.[3] |
S0344 | Azorult |
Azorult can collect the username from the victim’s machine.[20] |
S0414 | BabyShark | |
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea collects the current username from the victim.[22] |
S1081 | BADHATCH |
BADHATCH can obtain logged user information from a compromised machine and can execute the command |
S0534 | Bazar | |
S0017 | BISCUIT |
BISCUIT has a command to gather the username from the system.[25] |
S1068 | BlackCat |
BlackCat can utilize |
S0521 | BloodHound |
BloodHound can collect information on user sessions.[27] |
S0657 | BLUELIGHT |
BLUELIGHT can collect the username on a compromised host.[28] |
S0486 | Bonadan |
Bonadan has discovered the username of the user running the backdoor.[29] |
S0635 | BoomBox |
BoomBox can enumerate the username on a compromised host.[30] |
S1039 | Bumblebee | |
C0017 | C0017 |
During C0017, APT41 used |
C0018 | C0018 |
During C0018, the threat actors collected |
S0351 | Cannon | |
S0348 | Cardinal RAT |
Cardinal RAT can collect the username from a victim machine.[35] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell can obtain a list of user accounts from a victim's machine.[36] |
S0631 | Chaes |
Chaes has collected the username and UID from the infected machine.[37] |
G0114 | Chimera |
Chimera has used the |
S0667 | Chrommme |
Chrommme can retrieve the username from a targeted system.[39] |
S0660 | Clambling |
Clambling can identify the username on a compromised host.[40][41] |
S1024 | CreepySnail |
CreepySnail can execute |
S0115 | Crimson |
Crimson can identify the user on a targeted system.[43][44][45] |
S0498 | Cryptoistic |
Cryptoistic can gather data on the user of a compromised host.[46] |
S0334 | DarkComet |
DarkComet gathers the username from the victim’s machine.[47] |
S0673 | DarkWatchman |
DarkWatchman has collected the username from a victim machine.[48] |
S0354 | Denis |
Denis enumerates and collects the username from the victim’s machine.[49][13] |
S0021 | Derusbi |
A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim.[50] |
S0659 | Diavol |
Diavol can collect the username from a compromised host.[51] |
S1021 | DnsSystem |
DnsSystem can use the Windows user name to create a unique identification for infected users and systems.[52] |
S0186 | DownPaper |
DownPaper collects the victim username and sends it to the C2 server.[53] |
G0035 | Dragonfly | |
S0694 | DRATzarus |
DRATzarus can obtain a list of users from an infected machine.[55] |
S0024 | Dyre |
Dyre has the ability to identify the users on a compromised host.[56] |
G1006 | Earth Lusca |
Earth Lusca collected information on user accounts via the |
S0554 | Egregor |
Egregor has used tools to gather information about users.[58] |
S0367 | Emotet |
Emotet has enumerated all users connected to network shares. |
S0363 | Empire | |
S0091 | Epic | |
S0568 | EVILNUM |
EVILNUM can obtain the username from the victim's machine.[61] |
S0401 | Exaramel for Linux |
Exaramel for Linux can run |
S0569 | Explosive |
Explosive has collected the username from the infected host.[63] |
S0171 | Felismus |
Felismus collects the current username and sends it to the C2 server.[64] |
S0267 | FELIXROOT |
FELIXROOT collects the username from the victim’s machine.[65][66] |
G0051 | FIN10 |
FIN10 has used Meterpreter to enumerate users on remote systems.[67] |
G0046 | FIN7 |
FIN7 has used the command |
G0061 | FIN8 |
FIN8 has executed the command |
S0696 | Flagpro |
Flagpro has been used to run the |
S0381 | FlawedAmmyy |
FlawedAmmyy enumerates the current user during the initial infection.[71][72] |
C0001 | Frankenstein |
During Frankenstein, the threat actors used Empire to enumerate hosts and gather username, machine name, and administrative permissions information.[59] |
S1044 | FunnyDream |
FunnyDream has the ability to gather user information from the targeted system using |
G0093 | GALLIUM |
GALLIUM used |
G0047 | Gamaredon Group |
A Gamaredon Group file stealer can gather the victim's username to send to a C2 server.[75] |
S0168 | Gazer | |
S0666 | Gelsemium |
Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.[39] |
S0460 | Get2 |
Get2 has the ability to identify the current username of an infected host.[77] |
S0249 | Gold Dragon |
Gold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server.[78] |
S0477 | Goopy |
Goopy has the ability to enumerate the infected system's user name.[13] |
S0531 | Grandoreiro |
Grandoreiro can collect the username from the victim's machine.[79] |
S0237 | GravityRAT |
GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status).[80] |
S0632 | GrimAgent | |
G0125 | HAFNIUM | |
S0214 | HAPPYWORK |
can collect the victim user name.[83] |
S0391 | HAWKBALL | |
G1001 | HEXANE |
HEXANE has run |
S0431 | HotCroissant |
HotCroissant has the ability to collect the username on the infected host.[86] |
S0260 | InvisiMole |
InvisiMole lists local users and session information.[87] |
S0015 | Ixeshe | |
S0201 | JPIN | |
S0265 | Kazuar | |
G0004 | Ke3chang |
Ke3chang has used implants capable of collecting the signed-in username.[91] |
S0250 | Koadic |
Koadic can identify logged in users across the domain and views user sessions.[92][93] |
S0162 | Komplex |
The OsInfo function in Komplex collects the current running username.[94] |
S0356 | KONNI |
KONNI can collect the username from the victim’s machine.[95] |
S1075 | KOPILUWAK |
KOPILUWAK can conduct basic network reconnaissance on the victim machine with |
S0236 | Kwampirs |
Kwampirs collects registered owner details by using the commands |
G0032 | Lazarus Group |
Various Lazarus Group malware enumerates logged-on users.[98][99][100][101][102][46][103] |
S0362 | Linux Rabbit |
Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain. [104] |
S0513 | LiteDuke |
LiteDuke can enumerate the account name on a targeted system.[105] |
S0680 | LitePower |
LitePower can determine if the current user has admin privileges.[106] |
S0681 | Lizar | |
S0447 | Lokibot |
Lokibot has the ability to discover the username on the infected host.[108] |
S0532 | Lucifer |
Lucifer has the ability to identify the username on a compromised host.[109] |
G1014 | LuminousMoth |
LuminousMoth has used a malicious DLL to collect the username from compromised hosts.[110] |
S1016 | MacMa |
MacMa can collect the username from the compromised machine.[111] |
S1060 | Mafalda |
Mafalda can collect the username from a compromised host.[112] |
G0059 | Magic Hound |
Magic Hound malware has obtained the victim username and sent it to the C2 server.[113][114][115] |
S0652 | MarkiRAT | |
S0459 | MechaFlounder |
MechaFlounder has the ability to identify the username and hostname on a compromised host.[117] |
S1059 | metaMain |
metaMain can collect the username from a compromised host.[112] |
S0455 | Metamorfo |
Metamorfo has collected the username from the victim's machine.[118] |
S0339 | Micropsia |
Micropsia collects the username from the victim’s machine.[119] |
S1015 | Milan |
Milan can identify users registered to a targeted machine.[120] |
S0280 | MirageFox |
MirageFox can gather the username from the victim’s machine.[121] |
S0084 | Mis-Type |
Mis-Type runs tests to determine the privilege level of the compromised user.[122] |
S0149 | MoonWind | |
S0284 | More_eggs |
More_eggs has the capability to gather the username from the victim's machine.[124][125] |
S0256 | Mosquito | |
G0069 | MuddyWater |
MuddyWater has used malware that can collect the victim’s username.[127][128] |
S0228 | NanHaiShu | |
S0590 | NBTscan | |
S0272 | NDiskMonitor |
NDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel.[132] |
S0691 | Neoichor |
Neoichor can collect the user name from a victim's machine.[91] |
C0002 | Night Dragon |
During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords.[133] |
S0385 | njRAT |
njRAT enumerates the current user during the initial infection.[134] |
S0353 | NOKKI |
NOKKI can collect the username from the victim’s machine.[135] |
S0644 | ObliqueRAT |
ObliqueRAT can check for blocklisted usernames on infected endpoints.[136] |
S0340 | Octopus |
Octopus can collect the username from the victim’s machine.[137] |
G0049 | OilRig | |
S0439 | Okrum | |
C0012 | Operation CuckooBees |
During Operation CuckooBees, the threat actors used the |
C0014 | Operation Wocao |
During Operation Wocao, threat actors enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.[143] |
G0040 | Patchwork |
Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.[144][132] |
S0428 | PoetRAT |
PoetRAT sent username, computer name, and the previously generated UUID in reply to a "who" command from C2.[145] |
S0139 | PowerDuke |
PowerDuke has commands to get the current user's name and SID.[146] |
S0441 | PowerShower |
PowerShower has the ability to identify the current user on the infected host.[147] |
S0223 | POWERSTATS |
POWERSTATS has the ability to identify the username on the compromised host.[148] |
S0184 | POWRUNER |
POWRUNER may collect information about the currently logged in user by running |
S0113 | Prikormka |
A module in Prikormka collects information from the victim about the current user name.[150] |
S0192 | Pupy |
Pupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.[151] |
S1032 | PyDCrypt |
PyDCrypt has probed victim machines with |
S0650 | QakBot |
QakBot can identify the user name on a compromised system.[153][154] |
S0269 | QUADAGENT | |
S0262 | QuasarRAT | |
S0241 | RATANKBA | |
S0662 | RCSession |
RCSession can gather system owner information, including user and administrator privileges.[158] |
S0172 | Reaver | |
S0153 | RedLeaves |
RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.[160] |
S0125 | Remsec | |
S0379 | Revenge RAT |
Revenge RAT gathers the username from the system.[162] |
S0258 | RGDoor | |
S0433 | Rifdoor |
Rifdoor has the ability to identify the username on the compromised host.[86] |
S0448 | Rising Sun |
Rising Sun can detect the username of the infected host.[164] |
S0270 | RogueRobin |
RogueRobin collects the victim’s username and whether that user is an admin.[165] |
S0240 | ROKRAT |
ROKRAT can collect the username from a compromised host.[166] |
S0148 | RTM | |
S0085 | S-Type |
S-Type has run tests to determine the privilege level of the compromised user.[122] |
S1018 | Saint Bot |
Saint Bot can collect the username from a compromised host.[168] |
G0034 | Sandworm Team |
Sandworm Team has collected the username from a compromised host.[169] |
S0461 | SDBbot |
SDBbot has the ability to identify the user on a compromised host.[77] |
S0382 | ServHelper |
ServHelper will attempt to enumerate the username of the victim.[170] |
S0596 | ShadowPad |
ShadowPad has collected the username of the victim system.[171] |
S0450 | SHARPSTATS |
SHARPSTATS has the ability to identify the username on the compromised host.[148] |
S0610 | SideTwist |
SideTwist can collect the username on a targeted system.[140] |
G0121 | Sidewinder |
Sidewinder has used tools to identify the user of a compromised host.[172] |
S0692 | SILENTTRINITY |
SILENTTRINITY can gather a list of logged on users.[173] |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has collected the username from a victim machine.[174] |
S1035 | Small Sieve |
Small Sieve can obtain the id of a logged in user.[175] |
S0649 | SMOKEDHAM |
SMOKEDHAM has used |
S0627 | SodaMaster |
SodaMaster can identify the username on a compromised host.[177] |
S0615 | SombRAT |
SombRAT can execute |
S0543 | Spark |
Spark has run the whoami command and has a built-in command to identify the user logged in.[180] |
S0374 | SpeakUp | |
S1030 | Squirrelwaffle |
Squirrelwaffle can collect the user name from a compromised host.[182] |
S0058 | SslMM |
SslMM sends the logged-on username to its hard-coded C2.[183] |
S1037 | STARWHALE |
STARWHALE can gather the username from an infected host.[184][185] |
G0038 | Stealth Falcon |
Stealth Falcon malware gathers the registered user and primary owner name via WMI.[186] |
S1034 | StrifeWater |
StrifeWater can collect the user name from the victim's machine.[187] |
S0559 | SUNBURST |
SUNBURST collected the username from a compromised host.[188][189] |
S1064 | SVCReady |
SVCReady can collect the username from an infected host.[190] |
S0242 | SynAck | |
S0060 | Sys10 |
Sys10 collects the account name of the logged-in user and sends it to the C2.[183] |
S0663 | SysUpdate |
SysUpdate can collect the username from a compromised host.[192] |
S0098 | T9000 |
T9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM.[193] |
G0027 | Threat Group-3390 |
Threat Group-3390 has used |
S0266 | TrickBot |
TrickBot can identify the user and groups the user belongs to on a compromised host.[194] |
S0094 | Trojan.Karagany |
Trojan.Karagany can gather information about the user on a compromised host.[195] |
G0081 | Tropic Trooper |
Tropic Trooper used |
S0647 | Turian | |
S0130 | Unknown Logger |
Unknown Logger can obtain information about the victim usernames.[198] |
S0275 | UPPERCUT |
UPPERCUT has the capability to collect the current logged on user’s username from a machine.[199] |
S0476 | Valak | |
S0257 | VERMIN | |
G1017 | Volt Typhoon |
Volt Typhoon has executed the PowerShell command |
S0515 | WellMail |
WellMail can identify the current username on the victim system.[204] |
S0514 | WellMess |
WellMess can collect the username on the victim machine to send to C2.[205] |
S0155 | WINDSHIELD |
WINDSHIELD can gather the victim user name.[206] |
G0112 | Windshift |
Windshift has used malware to identify the username on a compromised host.[207] |
S0219 | WINERACK | |
S0059 | WinMM |
WinMM uses NetUser-GetInfo to identify that it is running under an "Admin" account on the local system.[183] |
G0102 | Wizard Spider |
Wizard Spider has used "whoami" to identify the local user and their privileges.[208] |
S1065 | Woody RAT |
Woody RAT can retrieve a list of user accounts and usernames from an infected machine.[209] |
S0161 | XAgentOSX |
XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user.[210] |
S0248 | yty | |
S0251 | Zebrocy | |
G0128 | ZIRCONIUM |
ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.[214] |
S0350 | zwShell |
zwShell can obtain the name of the logged-in user on the victim.[133] |
S0412 | ZxShell |
ZxShell can collect the owner and organization information from the target workstation.[215] |
S1013 | ZxxZ |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0026 | Active Directory | Active Directory Object Access |
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [217] [218] [219] Note: Domain controllers may not log replication requests originating from the default domain controller account. [220]. Monitor for replication requests [221] from IPs not associated with known domain controllers. [222] |
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [223] which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP. |
DS0022 | File | File Access |
Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system ( |
DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols. |
Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
||
DS0009 | Process | OS API Execution |
Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. |
Process Access |
Monitor for unexpected processes interacting with lsass.exe.[224] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity. LinuxTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path |
||
Process Creation |
Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of at being created, therefore implying the querying or creation of tasks. If this tools is commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. Analytic 1 - Suspicious Process Execution
|
||
DS0024 | Windows Registry | Windows Registry Key Access |
Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. |