T1033

System Owner/User Discovery

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this by retrieving account usernames via built-in OS utilities such as whoami, query user, qwinsta, w, who, and id, or by querying environment variables, WMI, and Active Directory. The information is used during automated discovery to shape follow-on behaviors — determining whether to fully deploy a payload, escalate privileges, or target a specific high-value user account.

Microsoft Sentinel / Defender

kusto

let UserDiscoveryCommands = dynamic([
  "whoami", "query user", "qwinsta", "quser",
  "wmic useraccount", "wmic /node",
  "net user", "net localgroup",
  "Get-LocalUser", "Get-ADUser",
  "$env:USERNAME", "%USERNAME%", "%USERDOMAIN%"
]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
  "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
  "schtasks.exe", "at.exe", "msbuild.exe", "installutil.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // whoami with enumeration flags is more suspicious than bare whoami
    (FileName =~ "whoami.exe" and ProcessCommandLine has_any ("/all", "/groups", "/priv", "/fo"))
    // query user / qwinsta used outside of RDS admin contexts
    or FileName in~ ("query.exe", "qwinsta.exe", "quser.exe")
    // wmic useraccount enumeration
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("useraccount", "UserAccount"))
    // net user domain enumeration
    or (FileName =~ "net.exe" and ProcessCommandLine has_any ("user /domain", "localgroup administrators", "group /domain"))
    or (FileName =~ "net1.exe" and ProcessCommandLine has_any ("user /domain", "localgroup administrators"))
    // PowerShell user enumeration cmdlets
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-LocalUser", "Get-ADUser", "Get-WmiObject Win32_UserAccount", "[System.Security.Principal.WindowsIdentity]::GetCurrent", "whoami"))
)
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend BareWhoami = (FileName =~ "whoami.exe" and not (ProcessCommandLine has_any ("/all", "/groups", "/priv", "/fo")))
| extend HighPrivContext = AccountName has_any ("SYSTEM", "Administrator") or InitiatingProcessAccountName has_any ("SYSTEM", "Administrator")
| extend RiskScore = toint(SuspiciousParent) + toint(not BareWhoami) + toint(HighPrivContext)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, SuspiciousParent, HighPrivContext, RiskScore
| sort by Timestamp desc

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT helpdesk and system administrators routinely running whoami or query user when troubleshooting user sessions on RDS/Terminal Server hosts
Software deployment and configuration management agents (SCCM, Ansible, Chef, Puppet) that enumerate local users as part of compliance checks
Vulnerability scanners and security baselines tools (Nessus, Tenable.io, CIS-CAT) that query user accounts during authenticated scans
Monitoring and SIEM agents that collect user session data for asset inventory (e.g., Tanium, BigFix, Qualys Cloud Agent)
Developer tooling and CI/CD pipelines that resolve the current user context during build or deployment steps

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (
    (Image="*\\whoami.exe" AND (CommandLine="*/all*" OR CommandLine="*/groups*" OR CommandLine="*/priv*" OR CommandLine="*/fo*"))
    OR (Image="*\\query.exe" OR Image="*\\qwinsta.exe" OR Image="*\\quser.exe")
    OR (Image="*\\wmic.exe" AND (CommandLine="*useraccount*" OR CommandLine="*UserAccount*"))
    OR (Image="*\\net.exe" AND (CommandLine="*user /domain*" OR CommandLine="*localgroup administrators*" OR CommandLine="*group /domain*"))
    OR (Image="*\\net1.exe" AND (CommandLine="*user /domain*" OR CommandLine="*localgroup administrators*"))
    OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*Get-LocalUser*" OR CommandLine="*Get-ADUser*" OR CommandLine="*Win32_UserAccount*" OR CommandLine="*WindowsIdentity*" OR CommandLine="*whoami*"))
  )
| eval SuspiciousParent=if(match(ParentImage, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe|msbuild\.exe|installutil\.exe)$"), 1, 0)
| eval EnrichedFlags=if(match(lower(CommandLine), "(/all|/groups|/priv|/fo|useraccount|get-localuser|get-aduser|windowsidentity)"), 1, 0)
| eval HighPriv=if(match(lower(User), "(system|administrator|admin)"), 1, 0)
| eval RiskScore=SuspiciousParent + EnrichedFlags + HighPriv
| where RiskScore >= 1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SuspiciousParent, EnrichedFlags, HighPriv, RiskScore
| sort - RiskScore, - _time

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT helpdesk staff and administrators troubleshooting user sessions on RDS or shared servers
Configuration management agents running user enumeration as part of inventory or compliance baselines
Vulnerability scanners performing authenticated user enumeration during scheduled scans
Monitoring agents collecting user session metadata for asset tracking and inventory platforms
Developer and CI/CD automation resolving current user context during build or test steps

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
    (
      (process.name : "whoami.exe" and process.args : ("/all", "/groups", "/priv", "/fo"))
      or process.name : ("query.exe", "qwinsta.exe", "quser.exe")
      or (process.name : "wmic.exe" and process.command_line : ("*useraccount*", "*UserAccount*"))
      or (process.name : "net.exe" and process.command_line : ("*user /domain*", "*localgroup administrators*", "*group /domain*"))
      or (process.name : "net1.exe" and process.command_line : ("*user /domain*", "*localgroup administrators*"))
      or (process.name : ("powershell.exe", "pwsh.exe") and process.command_line : ("*Get-LocalUser*", "*Get-ADUser*", "*Win32_UserAccount*", "*WindowsIdentity*", "*whoami*"))
    )
  ] by process.parent.entity_id
  [process where event.type == "start" and
    process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe", "msbuild.exe", "installutil.exe")
  ] by process.entity_id

/* Standalone alert for single-event detection without parent correlation */
// process where event.type == "start" and
//   (
//     (process.name : "whoami.exe" and process.args : ("/all", "/groups", "/priv", "/fo"))
//     or process.name : ("query.exe", "qwinsta.exe", "quser.exe")
//     or (process.name : "wmic.exe" and process.command_line : ("*useraccount*", "*UserAccount*"))
//     or (process.name : "net.exe" and process.command_line : ("*user /domain*", "*localgroup administrators*", "*group /domain*"))
//     or (process.name : ("powershell.exe", "pwsh.exe") and process.command_line : ("*Get-LocalUser*", "*Get-ADUser*", "*Win32_UserAccount*", "*WindowsIdentity*", "*whoami*"))
//   ) and
//   process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")

medium severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

IT administrators running whoami /all or net user /domain for legitimate identity verification or troubleshooting — especially during onboarding, patch validation, or Active Directory audits
Security tooling and EDR agents that periodically enumerate local users for inventory purposes may trigger on wmic useraccount or Get-LocalUser patterns
Remote Desktop and terminal server administration tools (e.g., Remote Desktop Services management scripts) that use qwinsta and quser for session monitoring in multi-user environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  "Account Domain" AS account_domain,
  "Process Name" AS process_name,
  "Process Command Line" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe|msbuild\.exe|installutil\.exe)$' THEN 1
    ELSE 0
  END AS suspicious_parent,
  CASE
    WHEN LOWER("Process Command Line") IMATCHES '.*((/all|/groups|/priv|/fo)|useraccount|get-localuser|get-aduser|windowsidentity|user /domain|localgroup administrators).*' THEN 1
    ELSE 0
  END AS enriched_flags,
  CASE
    WHEN LOWER(username) IMATCHES '.*(system|administrator|admin).*' THEN 1
    ELSE 0
  END AS high_priv
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 14, 169, 260)
  AND QIDNAME(qid) IN ('Process Create', 'Sysmon - Process Create')
  AND (
    (LOWER("Process Name") IMATCHES '.*\\whoami\.exe$' AND LOWER("Process Command Line") IMATCHES '.*/all.*|.*/groups.*|.*/priv.*|.*/fo.*')
    OR LOWER("Process Name") IMATCHES '.*(\\query\.exe|\\qwinsta\.exe|\\quser\.exe)$'
    OR (LOWER("Process Name") IMATCHES '.*\\wmic\.exe$' AND LOWER("Process Command Line") IMATCHES '.*(useraccount|useraccount).*')
    OR (LOWER("Process Name") IMATCHES '.*\\net\.exe$' AND LOWER("Process Command Line") IMATCHES '.*(user /domain|localgroup administrators|group /domain).*')
    OR (LOWER("Process Name") IMATCHES '.*\\net1\.exe$' AND LOWER("Process Command Line") IMATCHES '.*(user /domain|localgroup administrators).*')
    OR (LOWER("Process Name") IMATCHES '.*(\\powershell\.exe|\\pwsh\.exe)$' AND LOWER("Process Command Line") IMATCHES '.*(get-localuser|get-aduser|win32_useraccount|windowsidentity|whoami).*')
  )
  AND LAST 24 HOURS
ORDER BY
  (suspicious_parent + enriched_flags + high_priv) DESC, starttime DESC

medium severity medium confidence

Data Sources

IBM QRadar with Windows Security Log DSM QRadar with Sysmon DSM (Microsoft Windows Security Event Log) QRadar Universal DSM for Sysmon

Required Tables

events

False Positives

Helpdesk or IT support staff using net user /domain or query user interactively from cmd.exe to troubleshoot user account or RDS session issues
System inventory or SCCM/Intune management agents that use wmic useraccount or PowerShell Get-LocalUser for compliance reporting and asset management
Automated deployment scripts and CI/CD pipelines that verify user context with whoami or environment variable checks before executing privileged operations

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="os/windows")
| where EventID = "1" or EventID = "4688"
| where (
    (toLowerCase(Image) matches "*\\whoami.exe" and (toLowerCase(CommandLine) matches "*/all*" or toLowerCase(CommandLine) matches "*/groups*" or toLowerCase(CommandLine) matches "*/priv*" or toLowerCase(CommandLine) matches "*/fo*"))
    or toLowerCase(Image) matches "*\\query.exe" or toLowerCase(Image) matches "*\\qwinsta.exe" or toLowerCase(Image) matches "*\\quser.exe"
    or (toLowerCase(Image) matches "*\\wmic.exe" and (toLowerCase(CommandLine) matches "*useraccount*"))
    or (toLowerCase(Image) matches "*\\net.exe" and (toLowerCase(CommandLine) matches "*user /domain*" or toLowerCase(CommandLine) matches "*localgroup administrators*" or toLowerCase(CommandLine) matches "*group /domain*"))
    or (toLowerCase(Image) matches "*\\net1.exe" and (toLowerCase(CommandLine) matches "*user /domain*" or toLowerCase(CommandLine) matches "*localgroup administrators*"))
    or ((toLowerCase(Image) matches "*\\powershell.exe" or toLowerCase(Image) matches "*\\pwsh.exe") and (toLowerCase(CommandLine) matches "*get-localuser*" or toLowerCase(CommandLine) matches "*get-aduser*" or toLowerCase(CommandLine) matches "*win32_useraccount*" or toLowerCase(CommandLine) matches "*windowsidentity*" or toLowerCase(CommandLine) matches "*whoami*"))
  )
| if(toLowerCase(ParentImage) matches "*(cmd.exe|powershell.exe|pwsh.exe|wscript.exe|cscript.exe|mshta.exe|rundll32.exe|regsvr32.exe|schtasks.exe|msbuild.exe|installutil.exe)", 1, 0) as suspicious_parent
| if(toLowerCase(CommandLine) matches "*(/all|/groups|/priv|/fo|useraccount|get-localuser|get-aduser|windowsidentity|user /domain|localgroup administrators)*", 1, 0) as enriched_flags
| if(toLowerCase(User) matches "*(system|administrator|admin)*", 1, 0) as high_priv
| suspicious_parent + enriched_flags + high_priv as RiskScore
| where RiskScore >= 1
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, suspicious_parent, enriched_flags, high_priv, RiskScore
| sort by RiskScore desc, _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic Windows Source (Sysmon Operational log) Sumo Logic Windows Security Log Source Sumo Logic Installed Collector on Windows endpoints

Required Tables

windows/sysmon windows/security os/windows

False Positives

Windows administration scripts that use whoami /all to verify token privileges before applying group policy or configuring services, particularly during system initialization
Privileged Access Workstation (PAW) monitoring tools that enumerate local administrators via Get-LocalUser or net localgroup administrators for access validation
Threat hunting or red team exercises conducted in production environments where security teams execute discovery commands from PowerShell or cmd.exe to simulate adversary behavior

Google Chronicle / SecOps

yaral

rule T1033_System_Owner_User_Discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1033 System Owner/User Discovery via execution of user enumeration utilities with suspicious parent process or elevated privilege context"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1033"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1033/"
    severity = "MEDIUM"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\whoami\.exe$`) and
        re.regex($e.target.process.command_line, `(?i).*(/all|/groups|/priv|/fo).*`)
      ) or
      re.regex($e.target.process.file.full_path, `(?i).*\\(query|qwinsta|quser)\.exe$`) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i).*(useraccount).*`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\net1?\.exe$`) and
        re.regex($e.target.process.command_line, `(?i).*(user\s+/domain|localgroup\s+administrators|group\s+/domain).*`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i).*(Get-LocalUser|Get-ADUser|Win32_UserAccount|WindowsIdentity|whoami).*`)
      )
    )
    (
      re.regex($e.principal.process.file.full_path, `(?i).*\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|schtasks|msbuild|installutil)\.exe$`) or
      re.regex($e.principal.user.userid, `(?i).*(system|administrator|admin).*`) or
      re.regex($e.target.process.command_line, `(?i).*(/all|/groups|/priv|/fo|useraccount|Get-LocalUser|Get-ADUser|WindowsIdentity|user\s*/domain|localgroup administrators).*`)
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Chronicle UDM with Windows Event Forwarding Chronicle with CrowdStrike Falcon telemetry Chronicle with Carbon Black EDR Chronicle with Microsoft Defender for Endpoint via SIEM connector

Required Tables

UDM events (PROCESS_LAUNCH)

False Positives

Legitimate system health check scripts invoked from cmd.exe or PowerShell that use whoami or Get-LocalUser to validate service account permissions during automated maintenance windows
Enterprise monitoring agents such as Splunk Universal Forwarder, Elastic Agent, or SolarWinds that run periodic user context checks using wmic or PowerShell cmdlets
Developer workstations where build automation tools (MSBuild, InstallUtil) spawn PowerShell to query the current user context for path resolution or permission checks during software compilation

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\whoami\.exe|\\query\.exe|\\qwinsta\.exe|\\quser\.exe|\\wmic\.exe|\\net\.exe|\\net1\.exe|\\powershell\.exe|\\pwsh\.exe)$/
| CommandLine = /(?i)(/all|/groups|/priv|/fo|useraccount|UserAccount|user\s+/domain|localgroup\s+administrators|group\s+/domain|Get-LocalUser|Get-ADUser|Win32_UserAccount|WindowsIdentity|whoami)/
| ParentBaseFileName = /(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe|msbuild\.exe|installutil\.exe)/
  OR UserName = /(?i)(SYSTEM|Administrator)/
| SuspiciousParent := if(ParentBaseFileName = /(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe|msbuild\.exe|installutil\.exe)/, 1, 0)
| EnrichedFlags := if(CommandLine = /(?i)(/all|/groups|/priv|/fo|useraccount|Get-LocalUser|Get-ADUser|WindowsIdentity|user\s*/domain|localgroup administrators)/, 1, 0)
| HighPriv := if(UserName = /(?i)(SYSTEM|Administrator|admin)/, 1, 0)
| RiskScore := SuspiciousParent + EnrichedFlags + HighPriv
| RiskScore >= 1
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName], function=[
    count(as=EventCount),
    max(RiskScore, as=MaxRiskScore),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| sort(MaxRiskScore, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) CrowdStrike Falcon LogScale with Windows endpoint telemetry

Required Tables

ProcessRollup2

False Positives

IT support personnel using Remote Assistance or remote administration scripts that invoke whoami /all or query user to troubleshoot user session or token issues from PowerShell remoting sessions
Automated provisioning pipelines (e.g., Ansible, Chef, Puppet) that run as SYSTEM or Administrator and check current user context with whoami or environment variable queries before applying configuration
Security operations scripts or SOAR playbooks that enumerate local users via Get-LocalUser or net localgroup administrators as part of automated incident triage or host baseline collection

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1033 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Owner/User Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections