System Owner/User Discovery, Technique T1033 - Enterprise (original) (raw)
Action RAT has the ability to collect the username from an infected host.[3]
Agent Tesla can collect the username from the victim’s machine.[4][5][6]
Agent.btz obtains the victim username and saves it to a file.[7]
Amadey has collected the user name from a compromised host using GetUserNameA.[8]
APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.[9]
An APT3 downloader uses the Windows command "cmd.exe" /C whoami to verify that it is running with the elevated privileges of "System."[10]
APT32 collected the victim's username and executed the whoami command on the victim's machine. APT32 executed shellcode to collect the username on the victim's machine. [11][12][13]
APT37 identifies the victim username.[14]
APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.[15]
APT39 used Remexi to collect usernames from the system.[16]
APT41 has executed whoami commands, including using the WMIEXEC utility to execute this on remote machines.[17][18]
Aquatic Panda gathers information on recently logged-in users on victim devices.[19]
Aria-body has the ability to identify the username on a compromised host.[20]
AsyncRAT can check if the current user of a compromised system is an administrator. [21]
AuTo Stealer has the ability to collect the username from an infected host.[3]
Azorult can collect the username from the victim’s machine.[22]
BabyShark has executed the whoami command.[23]
Backdoor.Oldrea collects the current username from the victim.[24]
BADHATCH can obtain logged user information from a compromised machine and can execute the command whoami.exe.[25]
Bazar can identify the username of the infected user.[26]
BISCUIT has a command to gather the username from the system.[27]
BlackCat can utilize net use commands to discover the user name on a compromised host.[28]
BloodHound can collect information on user sessions.[29]
BLUELIGHT can collect the username on a compromised host.[30]
Bonadan has discovered the username of the user running the backdoor.[31]
BoomBox can enumerate the username on a compromised host.[32]
Bumblebee has the ability to identify the user name.[33]
During C0017, APT41 used whoami to gather information from victim machines.[34]
During C0018, the threat actors collected whoami information via PowerShell scripts.[35]
Cannon can gather the username from the system.[36]
Cardinal RAT can collect the username from a victim machine.[37]
Caterpillar WebShell can obtain a list of user accounts from a victim's machine.[38]
Chaes has collected the username and UID from the infected machine.[39]
Chimera has used the quser command to show currently logged on users.[40]
CHIMNEYSWEEP has included the victim's computer name and username in C2 messages sent to actor-owned infrastructure.[41]
Chrommme can retrieve the username from a targeted system.[42]
Clambling can identify the username on a compromised host.[43][44]
CreepySnail can execute getUsername on compromised systems.[45]
Crimson can identify the user on a targeted system.[46][47][48]
Cryptoistic can gather data on the user of a compromised host.[49]
Cuckoo Stealer can discover and send the username from a compromised host to C2.[50]
DarkComet gathers the username from the victim’s machine.[51]
DarkWatchman has collected the username from a victim machine.[52]
Denis enumerates and collects the username from the victim’s machine.[53][13]
A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim.[54]
Diavol can collect the username from a compromised host.[55]
DnsSystem can use the Windows user name to create a unique identification for infected users and systems.[56]
DownPaper collects the victim username and sends it to the C2 server.[57]
Dragonfly used the command query user on victim hosts.[58]
DRATzarus can obtain a list of users from an infected machine.[59]
Dyre has the ability to identify the users on a compromised host.[60]
Earth Lusca collected information on user accounts via the whoami command.[61]
Egregor has used tools to gather information about users.[62]
Emotet has enumerated all users connected to network shares.
Empire can enumerate the username on targeted hosts.[63]
Epic collects the user name from the victim’s machine.[64]
EVILNUM can obtain the username from the victim's machine.[65]
Exaramel for Linux can run whoami to identify the system owner.[66]
Explosive has collected the username from the infected host.[67]
Felismus collects the current username and sends it to the C2 server.[68]
FELIXROOT collects the username from the victim’s machine.[69][70]
FIN10 has used Meterpreter to enumerate users on remote systems.[71]
FIN7 has used the command cmd.exe /C quser to collect user session information.[72]
FIN8 has executed the command quser to display the session details of a compromised machine.[73]
Flagpro has been used to run the whoami command on the system.[74]
FlawedAmmyy enumerates the current user during the initial infection.[75][76]
During Frankenstein, the threat actors used Empire to enumerate hosts and gather username, machine name, and administrative permissions information.[63]
FunnyDream has the ability to gather user information from the targeted system using whoami/upn&whoami/fqdn&whoami/logonid&whoami/all.[77]
GALLIUM used whoami and query user to obtain information about the victim user.[78]
A Gamaredon Group file stealer can gather the victim's username to send to a C2 server.[79]
Gazer obtains the current user's security identifier.[80]
Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.[42]
Get2 has the ability to identify the current username of an infected host.[81]
Gold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server.[82]
Goopy has the ability to enumerate the infected system's user name.[13]
Grandoreiro can collect the username from the victim's machine.[83]
GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status).[84]
GrimAgent can identify the user id on a target machine.[85]
HAFNIUM has used whoami to gather user information.[86]
can collect the victim user name.[87]
HAWKBALL can collect the user name of the system.[88]
HEXANE has run whoami on compromised machines to identify the current user.[89]
HotCroissant has the ability to collect the username on the infected host.[90]
InvisiMole lists local users and session information.[91]
Ixeshe collects the username from the victim’s machine.[92]
JPIN can obtain the victim user name.[93]
Kazuar gathers information on users.[94]
Ke3chang has used implants capable of collecting the signed-in username.[95]
Koadic can identify logged in users across the domain and views user sessions.[96][97]
The OsInfo function in Komplex collects the current running username.[98]
KONNI can collect the username from the victim’s machine.[99]
KOPILUWAK can conduct basic network reconnaissance on the victim machine with whoami, to get user details.[100]
Kwampirs collects registered owner details by using the commands systeminfo and net config workstation.[101]
Latrodectus can discover the username of an infected host.[102]
Various Lazarus Group malware enumerates logged-on users.[103][104][105][106][107][49][108]
Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain. [109]
LiteDuke can enumerate the account name on a targeted system.[110]
LitePower can determine if the current user has admin privileges.[111]
Lizar can collect the username from the system.[112]
Lokibot has the ability to discover the username on the infected host.[113]
Lucifer has the ability to identify the username on a compromised host.[114]
LuminousMoth has used a malicious DLL to collect the username from compromised hosts.[115]
LunarWeb can collect user information from the targeted host.[116]
MacMa can collect the username from the compromised machine.[117]
Mafalda can collect the username from a compromised host.[118]
Magic Hound malware has obtained the victim username and sent it to the C2 server.[119][120][121]
MarkiRAT can retrieve the victim’s username.[122]
MechaFlounder has the ability to identify the username and hostname on a compromised host.[123]
metaMain can collect the username from a compromised host.[118]
Metamorfo has collected the username from the victim's machine.[124]
MgBot includes modules for identifying local users and administrators on victim machines.[125]
Micropsia collects the username from the victim’s machine.[126]
Milan can identify users registered to a targeted machine.[127]
MirageFox can gather the username from the victim’s machine.[128]
Mis-Type runs tests to determine the privilege level of the compromised user.[129]
Moonstone Sleet deployed various malware such as YouieLoader that can perform system user discovery actions.[130]
MoonWind obtains the victim username.[131]
More_eggs has the capability to gather the username from the victim's machine.[132][133]
Mosquito runs whoami on the victim’s machine.[134]
MuddyWater has used malware that can collect the victim’s username.[135][136]
NanHaiShu collects the username from the victim.[137]
NBTscan can list active users on the system.[138][139]
NDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel.[140]
Neoichor can collect the user name from a victim's machine.[95]
NGLite will run the whoami command to gather system information and return this to the command and control server.[141]
During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords.[142]
Nightdoor gathers information on victim system users and usernames.[143]
njRAT enumerates the current user during the initial infection.[144]
NOKKI can collect the username from the victim’s machine.[145]
ObliqueRAT can check for blocklisted usernames on infected endpoints.[146]
Octopus can collect the username from the victim’s machine.[147]
OilRig has run whoami on a victim.[148][149][150]
Okrum can collect the victim username.[151]
During Operation CuckooBees, the threat actors used the query user and whoami commands as part of their advanced reconnaissance.[152]
During Operation Wocao, threat actors enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.[153]
Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.[154][140]
PoetRAT sent username, computer name, and the previously generated UUID in reply to a "who" command from C2.[155]
PowerDuke has commands to get the current user's name and SID.[156]
PowerShower has the ability to identify the current user on the infected host.[157]
POWERSTATS has the ability to identify the username on the compromised host.[158]
POWRUNER may collect information about the currently logged in user by running whoami on a victim.[159]
A module in Prikormka collects information from the victim about the current user name.[160]
Pupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.[161]
PyDCrypt has probed victim machines with whoami and has collected the username from the machine.[162]
QakBot can identify the user name on a compromised system.[163][164]
QUADAGENT gathers the victim username.[165]
QuasarRAT can enumerate the username and account type.[166]
Raccoon Stealer gathers information on the infected system owner and user.[167][168][169]
Raspberry Robin determines whether it is successfully running on a victim system by querying the running account information to determine if it is running in Session 0, indicating running with elevated privileges.[170]
RATANKBA runs the whoami and query user commands.[171]
RCSession can gather system owner information, including user and administrator privileges.[172]
Reaver collects the victim's username.[173]
RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.[174]
Remsec can obtain information about the current user.[175]
Revenge RAT gathers the username from the system.[176]
RGDoor executes the whoami on the victim’s machine.[177]
Rifdoor has the ability to identify the username on the compromised host.[90]
Rising Sun can detect the username of the infected host.[178]
RogueRobin collects the victim’s username and whether that user is an admin.[179]
ROKRAT can collect the username from a compromised host.[180]
RTM can obtain the victim username and permissions.[181]
S-Type has run tests to determine the privilege level of the compromised user.[129]
Saint Bot can collect the username from a compromised host.[182]
Sandworm Team has collected the username from a compromised host.[183]
SDBbot has the ability to identify the user on a compromised host.[81]
ServHelper will attempt to enumerate the username of the victim.[184]
ShadowPad has collected the username of the victim system.[185]
SHARPSTATS has the ability to identify the username on the compromised host.[158]
SideTwist can collect the username on a targeted system.[150]
Sidewinder has used tools to identify the user of a compromised host.[186]
SILENTTRINITY can gather a list of logged on users.[187]
SLOTHFULMEDIA has collected the username from a victim machine.[188]
Small Sieve can obtain the id of a logged in user.[189]
SMOKEDHAM has used whoami commands to identify system owners.[190]
SocGholish can use whoami to obtain the username from a compromised host.[191][192][193]
SodaMaster can identify the username on a compromised host.[194]
SombRAT can execute getinfo to identify the username on a compromised host.[195][196]
Spark has run the whoami command and has a built-in command to identify the user logged in.[197]
SpeakUp uses the whoami command. [198]
Squirrelwaffle can collect the user name from a compromised host.[199]
SslMM sends the logged-on username to its hard-coded C2.[200]
STARWHALE can gather the username from an infected host.[201][202]
Stealth Falcon malware gathers the registered user and primary owner name via WMI.[203]
StrifeWater can collect the user name from the victim's machine.[204]
SUNBURST collected the username from a compromised host.[205][206]
SVCReady can collect the username from an infected host.[207]
SynAck gathers user names from infected hosts.[208]
Sys10 collects the account name of the logged-in user and sends it to the C2.[200]
SysUpdate can collect the username from a compromised host.[209]
T9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM.[210]
Threat Group-3390 has used whoami to collect system user information.[43]
TrickBot can identify the user and groups the user belongs to on a compromised host.[211]
Trojan.Karagany can gather information about the user on a compromised host.[212]
Tropic Trooper used letmein to scan for saved usernames on the target system.[213]
Turian can retrieve usernames.[214]
Unknown Logger can obtain information about the victim usernames.[215]
UPPERCUT has the capability to collect the current logged on user’s username from a machine.[216]
Valak can gather information regarding the user.[217]
VERMIN gathers the username from the victim’s machine.[218]
Volt Typhoon has used public tools and executed the PowerShell command Get-EventLog security -instanceid 4624 to identify associated user and computer account names.[219][220][221]
WellMail can identify the current username on the victim system.[222]
WellMess can collect the username on the victim machine to send to C2.[223]
WINDSHIELD can gather the victim user name.[224]
Windshift has used malware to identify the username on a compromised host.[225]
WINERACK can gather information on the victim username.[87]
WinMM uses NetUser-GetInfo to identify that it is running under an "Admin" account on the local system.[200]
Winter Vivern PowerShell scripts execute whoami to identify the executing user.[226]
Wizard Spider has used "whoami" to identify the local user and their privileges.[227]
Woody RAT can retrieve a list of user accounts and usernames from an infected machine.[228]
XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user.[229]
yty collects the victim’s username.[230]
Zebrocy gets the username from the system.[231][232]
ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.[233]
zwShell can obtain the name of the logged-in user on the victim.[142]
ZxShell can collect the owner and organization information from the target workstation.[234]