System Owner/User Discovery T1033
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Events covered
6 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| Defender-DeviceEvents | LdapSearch | LDAP search |
| LDAP-Client | Event ID 30 | LDAP search request |
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Authoring guide
Patterns shared across the 55 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (22 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (441 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (55 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 21 rules
- Chopper Webshell Process Pattern
- Computer Discovery And Export Via Get-ADComputer Cmdlet
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- Enumerate All Information With Whoami.EXE
- Get-ADUser Enumeration Using UserAccountControl Flags
- Group Membership Reconnaissance Via Whoami.EXE
- HackTool - SharpLdapWhoami Execution
- HackTool - SharpView Execution
- Local Accounts Discovery
- Potential Dridex Activity
- Renamed Whoami Execution
- Security Privileges Enumeration Via Whoami.EXE
- Suspicious PowerShell Get Current User
- User Discovery And Export Via Get-ADUser Cmdlet
- User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
- Webshell Detection With Command Line Keywords
- Webshell Hacking Activity Patterns
- WhoAmI as Parameter
- Whoami.EXE Execution Anomaly
- Whoami.EXE Execution From Privileged Process
- Whoami.EXE Execution With Output Option
Elastic 7 rules
- Account Discovery Command via SYSTEM Account
- Enumeration Command Spawned via WMIPrvSE
- Suspicious JetBrains TeamCity Child Process
- Suspicious MS Office Child Process
- Suspicious PDF Reader Child Process
- Whoami Process Activity
- Windows Account or Group Discovery
Splunk 23 rules
- Check Elevated CMD using whoami
- Common Recon Commands in Short Burst (Sysmon)
- Common Recon Commands in Short Burst (Windows Event Log)
- Common Reconnaissance Commands (PowerShell)
- Common Reconnaissance Commands (Sysmon)
- Common Reconnaissance Commands (Windows Event Log)
- GetCurrent User with PowerShell
- GetCurrent User with PowerShell Script Block
- PowerView_SharpView Commands (PowerShell)
- System Owner_User Discovery - Windows (PowerShell)
- System Owner_User Discovery - Windows (Sysmon)
- System Owner_User Discovery - Windows (Windows Event Log)
- System User Discovery With Query
- System User Discovery With Whoami
- User Discovery via Environment Variables - PowerShell (PowerShell)
- User Discovery With Env Vars PowerShell
- User Discovery With Env Vars PowerShell Script Block
- Windows System Discovery Using ldap Nslookup
- Windows System Discovery Using Qwinsta
- Windows System Remote Discovery With Query
- Windows System User Discovery Via Quser
- Windows System User Privilege Discovery
- Windows WinPEAS PowerShell Script Execution