cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104.json

{
    "type": "bundle",
    "id": "bundle--463ee45a-ef4c-439a-9a50-07465757e525",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-04-12T23:35:40.261Z",
            "name": "System Owner/User Discovery",
            "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "discovery"
                }
            ],
            "x_mitre_contributors": [
                "Austin Clark, @c2defense"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_detection": "`System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nFor network infrastructure devices, collect AAA logging to monitor `show` commands being run by non-standard users from non-standard locations.",
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Linux",
                "macOS",
                "Windows",
                "Network"
            ],
            "x_mitre_version": "1.4",
            "x_mitre_data_sources": [
                "Process: OS API Execution",
                "Process: Process Access",
                "Windows Registry: Windows Registry Key Access",
                "Active Directory: Active Directory Object Access",
                "Network Traffic: Network Traffic Content",
                "File: File Access",
                "Process: Process Creation",
                "Command: Command Execution",
                "Network Traffic: Network Traffic Flow"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
            "created": "2017-05-31T21:30:35.733Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1033",
                    "external_id": "T1033"
                },
                {
                    "source_name": "show_ssh_users_cmd_cisco",
                    "description": "Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.",
                    "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html"
                },
                {
                    "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018",
                    "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
                    "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}