Keypoints
- Adversaries enumerate user accounts using commands and environment variables to determine primary and logged-in users.
- Tools like whoami, w, who, and dscl can reveal current sessions on Windows, Linux, and macOS.
- Network devices expose active sessions via CLI commands such as show users and show ssh.
- Discovery data often feeds automated workflows to decide whether to persist, exfiltrate, or pivot.
- Monitoring command-line arguments, WMI, and PowerShell activity helps detect user-discovery attempts.
Description:
- Like a trespasser checking mailboxes to see who lives in a house, attackers probe a system to learn who uses it and how itβs occupied.
- Adversaries gather account and session details through commands, environment variables, running process ownership, and logs to learn primary and active users; this informs targeted actions, privilege escalation, and whether to fully compromise the system.
Detection:
- Monitor and alert on execution of user-enumeration commands (e.g., whoami, w, who, dscl) and suspicious CLI patterns; use EDR to capture command-line arguments and parent processes.
- Log and analyze PowerShell and WMI usage; enable PowerShell module logging, script block logging, and WMI event subscription logs to spot automated discovery.
- Collect process creation and OS API execution events; look for processes querying user, session, or token information outside normal baselines.
- In Windows, correlate access to Active Directory objects and registry keys with account enumeration behaviors to identify reconnaissance chains.
- For network devices, enable AAA/command logging and alert on non-standard accounts running show users/show ssh from unusual sources or at odd times.
- Monitor file and directory ownership queries and file access patterns that reveal user lists; flag rapid enumeration across many files or home directories as suspicious.
- Watch network traffic content and flows for tools or telemetry exfiltration that include usernames; correlate with process and command logs to reduce false positives.
Tactics:
Discovery
Platforms:
Linux, Network Devices, Windows, macOS
Data Sources:
Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Relationship Citations:
(Citation: Cybereason StrifeWater Feb 2022),(Citation: Microsoft Moonstone Sleet 2024),(Citation: Proofpoint TA505 Mar 2018),(Citation: McAfee Night Dragon),(Citation: FireEye APT41 Aug 2019),(Citation: MalwareBytes WoodyRAT Aug 2022),(Citation: ESET Okrum July 2019),(Citation: Bitdefender LuminousMoth July 2021),(Citation: Unit42 BabyShark Feb 2019),(Citation: BlackBerry Amadey 2020),(Citation: Symantec Chafer Dec 2015),(Citation: Anomali Linux Rabbit 2018),(Citation: ESET OilRig Downloaders DEC 2023),(Citation: Novetta Blockbuster),(Citation: FireEye APT34 Dec 2017),(Citation: Carbon Black HotCroissant April 2020),(Citation: Microsoft Analyzing Solorigate Dec 2020),(Citation: Kaspersky QakBot September 2021),(Citation: Symantec Orangeworm April 2018),(Citation: Security Intelligence More Eggs Aug 2019),(Citation: Symantec Daggerfly 2023),(Citation: Sofacy Komplex Trojan),(Citation: Securelist APT10 March 2021),(Citation: SecureList SynAck Doppelg,οΏ½nging May 2018),(Citation: ClearSky Charming Kitten Dec 2017),(Citation: FireEye APT32 April 2020),(Citation: ESET EvasivePanda 2024),(Citation: ClearSky Lazarus Aug 2020),(Citation: Unit 42 NOKKI Sept 2018),(Citation: Secureworks Karagany July 2019),(Citation: NCC Group Team9 June 2020),(Citation: FireEye HAWKBALL Jun 2019),(Citation: TrendMicro EarthLusca 2022),(Citation: Cybereason Chaes Nov 2020),(Citation: Unit 42 RGDoor Jan 2018),(Citation: rapid7-email-bombing),(Citation: Talos GravityRAT),(Citation: Trend Micro Black Basta October 2022),(Citation: FSecure Lokibot November 2019),(Citation: TrendMicro DarkComet Sept 2014),(Citation: DFIR Report APT35 ProxyShell March 2022),(Citation: Unit 42 C0d0so0 Jan 2016),(Citation: Sekoia Raccoon1 2022),(Citation: Kaspersky ProjectSauron Technical Analysis),(Citation: FireEye FIN10 June 2017),(Citation: MalwareBytes LazyScripter Feb 2021),(Citation: Securelist Octopus Oct 2018),(Citation: ESET Gelsemium June 2021),(Citation: SentinelOne Lazarus macOS July 2020),(Citation: CheckPoint Volatile Cedar March 2015),(Citation: ESET RTM Feb 2017),(Citation: PWC Cloud Hopper Technical Annex April 2017),(Citation: Proofpoint TA505 Jan 2019),(Citation: ASERT Donot March 2018),(Citation: Unit42 Azorult Nov 2018),(Citation: Cylance Shaheen Nov 2018),(Citation: Unit 42 MechaFlounder March 2019),(Citation: CISA AA20-239A BeagleBoyz August 2020),(Citation: Citizen Lab Stealth Falcon May 2016),(Citation: CheckPoint Naikon May 2020),(Citation: ClearSky Siamesekitten August 2021),(Citation: Palo Alto Reaver Nov 2017),(Citation: Secureworks Gold Prelude Profile),(Citation: Volexity PowerDuke November 2016),(Citation: CISA AR21-126A FIVEHANDS May 2021),(Citation: Prevailion DarkWatchman 2021),(Citation: Kaspersky Cloud Atlas August 2019),(Citation: Palo Alto MoonWind March 2017),(Citation: Securelist Denis April 2017),(Citation: Zscaler APT31 Covid-19 October 2020),(Citation: Sophos New Ryuk Attack October 2020),(Citation: Talos Micropsia June 2017),(Citation: ESET OceanLotus),(Citation: CISA WellMess July 2020),(Citation: Unit42 Molerat Mar 2020),(Citation: Unit 42 Magic Hound Feb 2017),(Citation: Unit 42 Lucifer June 2020),(Citation: Securelist MuddyWater Oct 2018),(Citation: Cylance Dust Storm),(Citation: Lunghi Iron Tiger Linux),(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023),(Citation: Kaspersky Ferocious Kitten Jun 2021),(Citation: GitHub Pupy),(Citation: MalwareBytes SideCopy Dec 2021),(Citation: Malwarebytes RokRAT VBA January 2021),(Citation: McAfee Gold Dragon),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: ESET Turla Mosquito Jan 2018),(Citation: Trend Micro Muddy Water March 2021),(Citation: Cymmetria Patchwork),(Citation: Unit42 Cannon Nov 2018),(Citation: Debian nbtscan Nov 2019),(Citation: S2W Racoon 2022),(Citation: Talos Cobalt Group July 2018),(Citation: Fortinet Agent Tesla April 2018),(Citation: ESET Casbaneiro Oct 2019),(Citation: SentinelOne WinterVivern 2023),(Citation: Forcepoint Felismus Mar 2017),(Citation: Red Canary SocGholish March 2024),(Citation: Korean FSI TA505 2020),(Citation: Talos Frankenstein June 2019),(Citation: Secureworks BRONZE SILHOUETTE May 2023),(Citation: US District Court Indictment GRU Unit 74455 October 2020),(Citation: MSTIC Nobelium Toolset May 2021),(Citation: Unit 42 DarkHydrus July 2018),(Citation: Mandiant Suspected Turla Campaign February 2023),(Citation: Mandiant APT41),(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022),(Citation: ThreatExpert Agent.btz),(Citation: ESET ForSSHe December 2018),(Citation: ESET Dukes October 2019),(Citation: Cybereason Cobalt Kitty 2017),(Citation: TrendMicro TropicTrooper 2015),(Citation: FoxIT Wocao December 2019),(Citation: FireEye FELIXROOT July 2018),(Citation: Bitdefender FunnyDream Campaign November 2020),(Citation: BlackBerry CostaRicto November 2020),(Citation: TrendMicro Patchwork Dec 2017),(Citation: Kaspersky Turla Aug 2014),(Citation: APT15 Intezer June 2018),(Citation: CISA AR18-352A Quasar RAT December 2018),(Citation: Kaspersky ShadowPad Aug 2017),(Citation: Cybereason Valak May 2020),(Citation: Prevailion EvilNum May 2020),(Citation: Proofpoint Operation Transparent Tribe March 2016),(Citation: FireEye Operation Double Tap),(Citation: US-CERT TA18-074A),(Citation: ESET GreyEnergy Oct 2018),(Citation: Talos PoetRAT April 2020),(Citation: Microsoft BlackCat Jun 2022),(Citation: NCC Group Chimera January 2021),(Citation: Palo Alto Gamaredon Feb 2017),(Citation: Volexity InkySquid BLUELIGHT August 2021),(Citation: Symantec FIN8 Jul 2023),(Citation: Lazarus APT January 2022),(Citation: SecTools nbtscan June 2003),(Citation: Forcepoint Monsoon),(Citation: Palo Alto OilRig May 2016),(Citation: ESET Operation Groundbait),(Citation: RATANKBA),(Citation: Trend Micro IXESHE 2012),(Citation: CISA WellMail July 2020),(Citation: XAgentOSX 2017),(Citation: Costa AvosLocker May 2022),(Citation: SocGholish-update),(Citation: ESET InvisiMole June 2018),(Citation: TrendMicro RaspberryRobin 2022),(Citation: Talos ZxShell Oct 2014),(Citation: Cisco Talos Bitter Bangladesh May 2022),(Citation: Fidelis njRAT June 2013),(Citation: ESET OilRig Campaigns Sep 2023),(Citation: Checkpoint MosesStaff Nov 2021),(Citation: Crowdstrike HuntReport 2022),(Citation: Telefonica Snip3 December 2021),(Citation: Fortinet Diavol July 2021),(Citation: Elastic Latrodectus May 2024),(Citation: Cybereason OperationCuckooBees May 2022),(Citation: BlackBerry Bahamut),(Citation: CISA MAR SLOTHFULMEDIA October 2020),(Citation: CISA Zebrocy Oct 2020),(Citation: DFIR Phosphorus November 2021),(Citation: GitHub SILENTTRINITY Modules July 2019),(Citation: Symantec Dragonfly),(Citation: Mandiant FIN7 Apr 2022),(Citation: Unit 42 VERMIN Jan 2018),(Citation: Acronis XLoader 2021),(Citation: Malwarebytes Dyreza November 2015),(Citation: FireEye APT32 May 2017),(Citation: Kandji Cuckoo April 2024),(Citation: Mandiant UNC3313 Feb 2022),(Citation: Malwarebytes Saint Bot April 2021),(Citation: ESET DazzleSpy Jan 2022),(Citation: NCSC GCHQ Small Sieve Jan 2022),(Citation: PaloAlto CardinalRat Apr 2017),(Citation: ATT Sidewinder January 2021),(Citation: McAfee Sharpshooter December 2018),(Citation: FireEye APT10 Sept 2018),(Citation: NTT Security Flagpro new December 2021),(Citation: Group IB GrimAgent July 2021),(Citation: Intrinsec Egregor Nov 2020),(Citation: Talos Oblique RAT March 2021),(Citation: Google EXOTIC LILY March 2022),(Citation: Rostovcev APT41 2021),(Citation: Zscaler Lyceum DnsSystem June 2022),(Citation: HP SVCReady Jun 2022),(Citation: Securelist WhiteBear Aug 2017),(Citation: BiZone Lizar May 2021),(Citation: Talos Konni May 2017),(Citation: Malwarebytes Agent Tesla April 2020),(Citation: NGLite Trojan),(Citation: TrendMicro POWERSTATS V3 June 2019),(Citation: Kaspersky Lyceum October 2021),(Citation: Microsoft NICKEL December 2021),(Citation: Cyberreason Anchor December 2019),(Citation: Kaspersky Transparent Tribe August 2020),(Citation: FireEye SUNBURST Backdoor December 2020),(Citation: FireEye SMOKEDHAM June 2021),(Citation: Fidelis Turbo),(Citation: ANSSI Sandworm January 2021),(Citation: Microsoft PLATINUM April 2016),(Citation: fsecure NanHaiShu July 2016),(Citation: Profero APT27 December 2020),(Citation: Mandiant ROADSWEEP August 2022),(Citation: CrowdStrike BloodHound April 2018),(Citation: Talent-Jump Clambling February 2020),(Citation: ClearSky Lebanese Cedar Jan 2021),(Citation: Talos Group123),(Citation: FireEye APT37 Feb 2018),(Citation: Baumgartner Naikon 2015),(Citation: ESET BackdoorDiplomacy Jun 2021),(Citation: Novetta Blockbuster Destructive Malware),(Citation: Microsoft POLONIUM June 2022),(Citation: ESET Zebrocy Nov 2018),(Citation: Github Koadic),(Citation: Cybereason Soft Cell June 2019),(Citation: CheckPoint SpeakUp Feb 2019),(Citation: DigiTrust Agent Tesla Jan 2017),(Citation: ESET Grandoreiro April 2020),(Citation: Mandiant APT1 Appendix),(Citation: Proofpoint TA505 October 2019),(Citation: Trend Micro DRBControl February 2020),(Citation: Novetta Blockbuster RATs),(Citation: Unit 42 Kazuar May 2017),(Citation: Check Point APT34 April 2021),(Citation: SentinelLabs Metador Technical Appendix Sept 2022),(Citation: Rapid7 HAFNIUM Mar 2021),(Citation: Sekoia Raccoon2 2022),(Citation: Unit 42 QUADAGENT July 2018),(Citation: Palo Alto T9000 Feb 2016),(Citation: BitDefender BADHATCH Mar 2021),(Citation: ESET Turla Lunar toolset May 2024),(Citation: ZScaler Squirrelwaffle Sep 2021),(Citation: McAfee Lazarus Resurfaces Feb 2018),(Citation: Novetta Blockbuster Loaders),(Citation: DHS CISA AA22-055A MuddyWater February 2022),(Citation: Kaspersky WIRTE November 2021),(Citation: Palo Alto OilRig Oct 2016),
Read More: https://attack.mitre.org/techniques/T1033