Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Various utilities and commands may acquire this information, including whoami
. In macOS and Linux, the currently logged in user can be identified with w
and who
. On macOS the dscl . list /Users | grep -v '_'
command can also be used to enumerate user accounts. Environment variables, such as %USERNAME%
and $USER
, may also be used to access this information.
ID | Name | Description |
---|---|---|
S0331 | Agent Tesla |
Agent Tesla can collect the username from the victim’s machine.[1][2][3] |
S0092 | Agent.btz |
Agent.btz obtains the victim username and saves it to a file.[4] |
G0073 | APT19 |
APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.[5] |
G0022 | APT3 |
An APT3 downloader uses the Windows command |
G0050 | APT32 |
APT32 collected the victim's username and executed the |
G0067 | APT37 | |
G0082 | APT38 |
APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.[11] |
G0087 | APT39 | |
G0096 | APT41 |
APT41 used the WMIEXEC utility to execute |
S0456 | Aria-body |
Aria-body has the ability to identify the username on a compromised host.[14] |
S0344 | Azorult |
Azorult can collect the username from the victim’s machine.[15] |
S0414 | BabyShark | |
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea collects the current username from the victim.[17] |
S0534 | Bazar | |
S0017 | BISCUIT |
BISCUIT has a command to gather the username from the system.[19] |
S0521 | BloodHound |
BloodHound can collect information on user sessions.[20] |
S0657 | BLUELIGHT |
BLUELIGHT can collect the username on a compromised host.[21] |
S0486 | Bonadan |
Bonadan has discovered the username of the user running the backdoor.[22] |
S0635 | BoomBox |
BoomBox can enumerate the username on a compromised host.[23] |
S0351 | Cannon | |
S0348 | Cardinal RAT |
Cardinal RAT can collect the username from a victim machine.[25] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell can obtain a list of user accounts from a victim's machine.[26] |
S0631 | Chaes |
Chaes has collected the username and UID from the infected machine.[27] |
G0114 | Chimera |
Chimera has used the |
S0667 | Chrommme |
Chrommme can retrieve the username from a targeted system.[29] |
S0660 | Clambling |
Clambling can identify the username on a compromised host.[30][31] |
S0115 | Crimson | |
S0498 | Cryptoistic |
Cryptoistic can gather data on the user of a compromised host.[34] |
S0334 | DarkComet |
DarkComet gathers the username from the victim’s machine.[35] |
S0673 | DarkWatchman |
DarkWatchman has collected the username from a victim machine.[36] |
S0354 | Denis |
Denis enumerates and collects the username from the victim’s machine.[37][9] |
S0021 | Derusbi |
A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim.[38] |
S0659 | Diavol |
Diavol can collect the username from a compromised host.[39] |
S0186 | DownPaper |
DownPaper collects the victim username and sends it to the C2 server.[40] |
G0035 | Dragonfly | |
S0694 | DRATzarus |
DRATzarus can obtain a list of users from an infected machine.[42] |
S0024 | Dyre |
Dyre has the ability to identify the users on a compromised host.[43] |
S0554 | Egregor |
Egregor has used tools to gather information about users.[44] |
S0091 | Epic | |
S0568 | EVILNUM |
EVILNUM can obtain the username from the victim's machine.[46] |
S0401 | Exaramel for Linux |
Exaramel for Linux can run |
S0569 | Explosive |
Explosive has collected the username from the infected host.[48] |
S0171 | Felismus |
Felismus collects the current username and sends it to the C2 server.[49] |
S0267 | FELIXROOT |
FELIXROOT collects the username from the victim’s machine.[50][51] |
G0051 | FIN10 |
FIN10 has used Meterpreter to enumerate users on remote systems.[52] |
S0696 | Flagpro |
Flagpro has been used to run the |
S0381 | FlawedAmmyy |
FlawedAmmyy enumerates the current user during the initial infection.[54] |
G0101 | Frankenstein |
Frankenstein has enumerated hosts, gathering username, machine name, and administrative permissions information.[55] |
G0093 | GALLIUM |
GALLIUM used |
G0047 | Gamaredon Group |
A Gamaredon Group file stealer can gather the victim's username to send to a C2 server.[57] |
S0168 | Gazer | |
S0666 | Gelsemium |
Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.[29] |
S0460 | Get2 |
Get2 has the ability to identify the current username of an infected host.[59] |
S0249 | Gold Dragon |
Gold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server.[60] |
S0477 | Goopy |
Goopy has the ability to enumerate the infected system's user name.[9] |
S0531 | Grandoreiro |
Grandoreiro can collect the username from the victim's machine.[61] |
S0237 | GravityRAT |
GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status).[62] |
S0632 | GrimAgent | |
S0214 | HAPPYWORK |
can collect the victim user name.[64] |
S0391 | HAWKBALL | |
S0431 | HotCroissant |
HotCroissant has the ability to collect the username on the infected host.[66] |
S0260 | InvisiMole |
InvisiMole lists local users and session information.[67] |
S0015 | Ixeshe | |
S0201 | JPIN | |
S0265 | Kazuar | |
G0004 | Ke3chang |
Ke3chang has used implants capable of collecting the signed-in username.[71] |
S0250 | Koadic |
Koadic can identify logged in users across the domain and views user sessions.[72][73] |
S0162 | Komplex |
The OsInfo function in Komplex collects the current running username.[74] |
S0356 | KONNI |
KONNI can collect the username from the victim’s machine.[75] |
S0236 | Kwampirs |
Kwampirs collects registered owner details by using the commands |
G0032 | Lazarus Group |
Various Lazarus Group malware enumerates logged-on users.[77][78][79][80][81][34][82] |
S0362 | Linux Rabbit |
Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain. [83] |
S0513 | LiteDuke |
LiteDuke can enumerate the account name on a targeted system.[84] |
S0680 | LitePower |
LitePower can determine if the current user has admin privileges.[85] |
S0681 | Lizar | |
S0447 | Lokibot |
Lokibot has the ability to discover the username on the infected host.[87] |
S0532 | Lucifer |
Lucifer has the ability to identify the username on a compromised host.[88] |
G0059 | Magic Hound |
Magic Hound malware has obtained the victim username and sent it to the C2 server.[89] |
S0652 | MarkiRAT | |
S0459 | MechaFlounder |
MechaFlounder has the ability to identify the username and hostname on a compromised host.[91] |
S0455 | Metamorfo |
Metamorfo has collected the username from the victim's machine.[92] |
S0339 | Micropsia |
Micropsia collects the username from the victim’s machine.[93] |
S0280 | MirageFox |
MirageFox can gather the username from the victim’s machine.[94] |
S0084 | Mis-Type |
Mis-Type runs tests to determine the privilege level of the compromised user.[95] |
S0149 | MoonWind | |
S0284 | More_eggs |
More_eggs has the capability to gather the username from the victim's machine.[97][98] |
S0256 | Mosquito | |
G0069 | MuddyWater |
MuddyWater has used malware that can collect the victim’s username.[100][101] |
S0228 | NanHaiShu | |
S0590 | NBTscan | |
S0272 | NDiskMonitor |
NDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel.[105] |
S0691 | Neoichor |
Neoichor can collect the user name from a victim's machine.[71] |
S0385 | njRAT |
njRAT enumerates the current user during the initial infection.[106] |
S0353 | NOKKI |
NOKKI can collect the username from the victim’s machine.[107] |
S0644 | ObliqueRAT |
ObliqueRAT can check for blocklisted usernames on infected endpoints.[108] |
S0340 | Octopus |
Octopus can collect the username from the victim’s machine.[109] |
G0049 | OilRig | |
S0439 | Okrum | |
G0116 | Operation Wocao |
Operation Wocao has enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.[114] |
G0040 | Patchwork |
Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.[115][105] |
S0428 | PoetRAT |
PoetRAT sent username, computer name, and the previously generated UUID in reply to a "who" command from C2.[116] |
S0139 | PowerDuke |
PowerDuke has commands to get the current user's name and SID.[117] |
S0441 | PowerShower |
PowerShower has the ability to identify the current user on the infected host.[118] |
S0223 | POWERSTATS |
POWERSTATS has the ability to identify the username on the compromised host.[119] |
S0184 | POWRUNER |
POWRUNER may collect information about the currently logged in user by running |
S0113 | Prikormka |
A module in Prikormka collects information from the victim about the current user name.[121] |
S0192 | Pupy |
Pupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.[122] |
S0650 | QakBot |
QakBot can identify the user name on a compromised system.[123] |
S0269 | QUADAGENT | |
S0241 | RATANKBA | |
S0662 | RCSession |
RCSession can gather system owner information, including user and administrator privileges.[126] |
S0172 | Reaver | |
S0153 | RedLeaves |
RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.[128] |
S0125 | Remsec | |
S0379 | Revenge RAT |
Revenge RAT gathers the username from the system.[130] |
S0258 | RGDoor | |
S0433 | Rifdoor |
Rifdoor has the ability to identify the username on the compromised host.[66] |
S0448 | Rising Sun |
Rising Sun can detect the username of the infected host.[132] |
S0270 | RogueRobin |
RogueRobin collects the victim’s username and whether that user is an admin.[133] |
S0240 | ROKRAT |
ROKRAT can collect the username from a compromised host.[134] |
S0148 | RTM | |
G0034 | Sandworm Team |
Sandworm Team has collected the username from a compromised host.[136] |
S0461 | SDBbot |
SDBbot has the ability to identify the user on a compromised host.[59] |
S0382 | ServHelper |
ServHelper will attempt to enumerate the username of the victim.[137] |
S0596 | ShadowPad |
ShadowPad has collected the username of the victim system.[138] |
S0450 | SHARPSTATS |
SHARPSTATS has the ability to identify the username on the compromised host.[119] |
S0610 | SideTwist |
SideTwist can collect the username on a targeted system.[112] |
G0121 | Sidewinder |
Sidewinder has used tools to identify the user of a compromised host.[139] |
S0692 | SILENTTRINITY |
SILENTTRINITY can gather a list of logged on users.[140] |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has collected the username from a victim machine.[141] |
S0649 | SMOKEDHAM |
SMOKEDHAM has used |
S0627 | SodaMaster |
SodaMaster can identify the username on a compromised host.[143] |
S0615 | SombRAT |
SombRAT can execute |
S0543 | Spark |
Spark has run the whoami command and has a built-in command to identify the user logged in.[146] |
S0374 | SpeakUp | |
S0058 | SslMM |
SslMM sends the logged-on username to its hard-coded C2.[148] |
G0038 | Stealth Falcon |
Stealth Falcon malware gathers the registered user and primary owner name via WMI.[149] |
S0559 | SUNBURST |
SUNBURST collected the username from a compromised host.[150][151] |
S0242 | SynAck | |
S0060 | Sys10 |
Sys10 collects the account name of the logged-in user and sends it to the C2.[148] |
S0098 | T9000 |
T9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM.[153] |
G0027 | Threat Group-3390 |
Threat Group-3390 has used |
S0266 | TrickBot |
TrickBot can identify the user and groups the user belongs to on a compromised host.[154] |
S0094 | Trojan.Karagany |
Trojan.Karagany can gather information about the user on a compromised host.[155] |
G0081 | Tropic Trooper |
Tropic Trooper used |
S0647 | Turian | |
S0130 | Unknown Logger |
Unknown Logger can obtain information about the victim usernames.[158] |
S0275 | UPPERCUT |
UPPERCUT has the capability to collect the current logged on user’s username from a machine.[159] |
S0476 | Valak | |
S0257 | VERMIN | |
S0515 | WellMail |
WellMail can identify the current username on the victim system.[162] |
S0514 | WellMess |
WellMess can collect the username on the victim machine to send to C2.[163] |
S0155 | WINDSHIELD |
WINDSHIELD can gather the victim user name.[164] |
G0112 | Windshift |
Windshift has used malware to identify the username on a compromised host.[165] |
S0219 | WINERACK | |
S0059 | WinMM |
WinMM uses NetUser-GetInfo to identify that it is running under an "Admin" account on the local system.[148] |
G0102 | Wizard Spider |
Wizard Spider has used "whoami" to identify the local user and their privileges.[166] |
S0161 | XAgentOSX |
XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user.[167] |
S0248 | yty | |
S0251 | Zebrocy | |
G0128 | ZIRCONIUM |
ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.[171] |
S0350 | zwShell |
zwShell can obtain the name of the logged-in user on the victim.[172] |
S0412 | ZxShell |
ZxShell can collect the owner and organization information from the target workstation.[173] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.