System Owner/User Discovery¶

What: System Owner/User Discovery¶

System Owner/User Discovery is a technique categorized under the "Discovery" tactic in the MITRE ATT&CK framework, specifically identified as T1033. This technique involves an adversary attempting to identify the users, owners, and administrators of a system or network. The purpose is to gather information that might be useful for escalating privileges or for lateral movement within the network, aiming to identify accounts that may have more extensive permissions or access rights.

How: Techniques and Methods Used¶

1. Querying Account Information:

2. Windows: Adversaries may use commands like net user, net group, and net localgroup on Windows systems to list users and group memberships.

3. Linux/Unix: Commands such as who, w, id, last, groups, and querying /etc/passwd are common for listing active users, user ids, and group memberships.

4. System Login Inspection:

5. Examination of login prompts, screensavers, or using tools like PowerShell's Get-LocalUser to glean user account names directly from the interface or system responses.

6. Network Service Scanning:

7. Utilizing tools like Wireshark or TCPDump to monitor network traffic that might include authentication exchanges revealing user names.

8. Directory Service Queries:

9. LDAP queries against directories like Active Directory using tools such as ADSI Edit or custom scripts can reveal detailed information about users.

10. APIs and System Calls:

11. Using system APIs (e.g., Windows API with functions like NetUserEnum) to programmatically retrieve user account details.

Where: Environments and Systems Affected¶

This technique is applicable across various environments including but not limited to:

• Corporate networks
• Cloud environments (AWS, Azure, Google Cloud)
• Personal computing environments
• Hybrid environments combining elements from all of the above

The systems affected typically include Windows, Linux/Unix servers, workstations, domain controllers, and any system that maintains user account information.

Why: Objectives Behind System Owner/User Discovery¶

The discovery of system owner/user information serves several adversarial objectives:

1. Privilege Escalation: Identifying accounts with higher privileges which can be targeted for gaining elevated access.
2. Lateral Movement: Facilitating movement across the network by targeting specific user accounts known to have access across various systems.
3. Persistence: Establishing long-term access by targeting accounts less likely to be monitored closely or those with permissions that facilitate setting up backdoors.
4. Avoidance of Detection: Understanding which accounts are regularly monitored can help adversaries avoid detection by focusing on less scrutinized accounts.
5. Social Engineering: Gathering detailed user information can aid in crafting convincing phishing campaigns or other social engineering attacks aimed at compromising specific individuals.

In summary, "System Owner/User Discovery" is a foundational technique in an adversary’s toolkit aimed at mapping out potential targets within a network for further exploitation based on their role and level of access within the environment.