infosecn1nja
/
atomic-red-team
mirror of https://github.com/infosecn1nja/atomic-red-team.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
atomic-red-team/Windows/Discovery/System Owner-User Discovery.md

32 lines
357 B
Markdown
Raw Permalink Normal View History

Initial Commit Initial Checkin
2017-10-11 17:35:17 +00:00
## System Owner/User Discovery
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
### cmd.exe
"cmd.exe" /C whoami
### wmic.exe
wmic useraccount get /ALL
### quser
Discovery + Added a Discovery bat file to run all the things at once. Generally, none of this activity is deemed "evil" as it is recon activity. Seeing it all run at once should be suspect to anyone. + Updates to two discovery files.
2017-10-12 17:35:44 +00:00
Remote:
Initial Commit Initial Checkin
2017-10-11 17:35:17 +00:00
quser /SERVER:"<computername>"
Discovery + Added a Discovery bat file to run all the things at once. Generally, none of this activity is deemed "evil" as it is recon activity. Seeing it all run at once should be suspect to anyone. + Updates to two discovery files.
2017-10-12 17:35:44 +00:00
Local:
quser
Initial Commit Initial Checkin
2017-10-11 17:35:17 +00:00
### qwinsta
Discovery + Added a Discovery bat file to run all the things at once. Generally, none of this activity is deemed "evil" as it is recon activity. Seeing it all run at once should be suspect to anyone. + Updates to two discovery files.
2017-10-12 17:35:44 +00:00
Remote:
Initial Commit Initial Checkin
2017-10-11 17:35:17 +00:00
qwinsta.exe" /server:<computername>
Discovery + Added a Discovery bat file to run all the things at once. Generally, none of this activity is deemed "evil" as it is recon activity. Seeing it all run at once should be suspect to anyone. + Updates to two discovery files.
2017-10-12 17:35:44 +00:00
Local:
qwinsta.exe