System Owner/User Discovery
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information. On network devices, Network Device CLI commands such as `show users` and `show ssh` can be used to display users currently logged into the device.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
`System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network infrastructure devices, collect AAA logging to monitor `show` commands being run by non-standard users from non-standard locations.
Observed actors
G0082GALLIUM
G0093APT3
G0022Volt Typhoon
G1017Patchwork
G0040APT41
G0096Dragonfly
G0035APT32
G0050HAFNIUM
G0125MuddyWater
G0069Gamaredon Group
G0047FIN7
G0046Sandworm Team
G0034Sidewinder
G0121ZIRCONIUM
G0128APT39
G0087APT37
G0067OilRig
G0049Tropic Trooper
G0081Aquatic Panda
G0143Ke3chang
G0004Winter Vivern
G1035Stealth Falcon
G0038Chimera
G0114Windshift
G0112LuminousMoth
G1014APT28
G0007Lazarus Group
G0032Earth Lusca
G1006Wizard Spider
G0102Moonstone Sleet
G1036HEXANE
G1001Magic Hound
G0059Threat Group-3390
G0027FIN10
G0051FIN8
G0061APT19
G0073
