Description
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.
On network devices, Network Device CLI commands such as show users and show ssh can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
Platforms
Threat Groups (40)
| ID | Group | Context |
|---|---|---|
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has identified primary users, currently logged in users, sets of users that commonly use a system, or i... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) deployed various malware such as YouieLoader that can perform system user discovery actions.(... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has executed the command `quser` to display the session details of a compromised machine.(Citation: Syma... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used implants capable of collecting the signed-in username.(Citation: Microsoft NICKEL December ... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used the command `cmd.exe /C quser` to collect user session information.(Citation: Mandiant FIN7 Apr... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used `whoami` to gather user information.(Citation: Rapid7 HAFNIUM Mar 2021) |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) PowerShell scripts execute `whoami` to identify the executing user.(Citation: SentinelOne Winte... |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.(Citation: ... |
| G0051 | FIN10 | [FIN10](https://attack.mitre.org/groups/G0051) has used Meterpreter to enumerate users on remote systems.(Citation: FireEye FIN10 June 2017) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) collected the victim's username and executed the <code>whoami</code> command on the victim's machine. [... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) used [Remexi](https://attack.mitre.org/software/S0375) to collect usernames from the system.(Citation: ... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) identifies the victim username.(Citation: Talos Group123) |
| G0032 | Lazarus Group | Various [Lazarus Group](https://attack.mitre.org/groups/G0032) malware enumerates logged-on users.(Citation: Novetta Blockbuster)(Citation: Novetta Bl... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) used <code>letmein</code> to scan for saved usernames on the target system.(Citation: TrendMic... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used `whoami` to collect system user information.(Citation: Trend Micro DRBControl Febr... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) collected information on user accounts via the <code>whoami</code> command.(Citation: TrendMicro ... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware has obtained the victim username and sent it to the C2 server.(Citation: Unit 42 Magic Ho... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to capture the username on a compromised host in order to register it with C2.(Cita... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used the <code>quser</code> command to show currently logged on users.(Citation: NCC Group Chimer... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) collected the victim username and whether it was running as admin, then sent the information to its... |
Associated Software (193)
| ID | Name | Type | Context |
|---|---|---|---|
| S0094 | Trojan.Karagany | Malware | [Trojan.Karagany](https://attack.mitre.org/software/S0094) can gather information about the user on a compromised host.(Citation: Secureworks Karagany... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) sent username, computer name, and the previously generated UUID in reply to a "who" command from C2... |
| S0379 | Revenge RAT | Malware | [Revenge RAT](https://attack.mitre.org/software/S0379) gathers the username from the system.(Citation: Cylance Shaheen Nov 2018) |
| S0694 | DRATzarus | Malware | [DRATzarus](https://attack.mitre.org/software/S0694) can obtain a list of users from an infected machine.(Citation: ClearSky Lazarus Aug 2020) |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) can identify the user and groups the user belongs to on a compromised host.(Citation: Cyberreason ... |
| S0596 | ShadowPad | Malware | [ShadowPad](https://attack.mitre.org/software/S0596) has collected the username of the victim system.(Citation: Kaspersky ShadowPad Aug 2017) |
| S1030 | Squirrelwaffle | Malware | [Squirrelwaffle](https://attack.mitre.org/software/S1030) can collect the user name from a compromised host.(Citation: ZScaler Squirrelwaffle Sep 2021... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has enumerated all users connected to network shares. |
| S0590 | NBTscan | Tool | [NBTscan](https://attack.mitre.org/software/S0590) can list active users on the system.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan ... |
| S0272 | NDiskMonitor | Malware | [NDiskMonitor](https://attack.mitre.org/software/S0272) obtains the victim username and encrypts the information to send over its C2 channel.(Citation... |
| S1226 | BOOKWORM | Malware | [BOOKWORM](https://attack.mitre.org/software/S1226) has obtained the username from an infected host. (Citation: Unit42 Bookworm Nov2015) |
| S0414 | BabyShark | Malware | [BabyShark](https://attack.mitre.org/software/S0414) has executed the <code>whoami</code> command.(Citation: Unit42 BabyShark Feb 2019) |
| S0514 | WellMess | Malware | [WellMess](https://attack.mitre.org/software/S0514) can collect the username on the victim machine to send to C2.(Citation: CISA WellMess July 2020) |
| S1016 | MacMa | Malware | [MacMa](https://attack.mitre.org/software/S1016) can collect the username from the compromised machine.(Citation: ESET DazzleSpy Jan 2022) |
| S9037 | RustyWater | Malware | [RustyWater](https://attack.mitre.org/software/S9037) has gathered the victim machine’s username.(Citation: CloudSEK_RustyWater_Jan2026) |
| S0058 | SslMM | Malware | [SslMM](https://attack.mitre.org/software/S0058) sends the logged-on username to its hard-coded C2.(Citation: Baumgartner Naikon 2015) |
| S0657 | BLUELIGHT | Malware | [BLUELIGHT](https://attack.mitre.org/software/S0657) can collect the username on a compromised host.(Citation: Volexity InkySquid BLUELIGHT August 202... |
| S1146 | MgBot | Malware | [MgBot](https://attack.mitre.org/software/S1146) includes modules for identifying local users and administrators on victim machines.(Citation: Symante... |
| S1034 | StrifeWater | Malware | [StrifeWater](https://attack.mitre.org/software/S1034) can collect the user name from the victim's machine.(Citation: Cybereason StrifeWater Feb 2022) |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) has the ability to identify the user name.(Citation: Google EXOTIC LILY March 2022) |
References
- Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.
- US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
Frequently Asked Questions
What is T1033 (System Owner/User Discovery)?
T1033 is a MITRE ATT&CK technique named 'System Owner/User Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example,...
How can T1033 be detected?
Detection of T1033 (System Owner/User Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1033?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1033?
Known threat groups using T1033 include: APT38, Moonstone Sleet, FIN8, Ke3chang, FIN7, HAFNIUM, Winter Vivern, APT19.