Detect System Owner/User Discovery in Splunk
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this by retrieving account usernames via built-in OS utilities such as whoami, query user, qwinsta, w, who, and id, or by querying environment variables, WMI, and Active Directory. The information is used during automated discovery to shape follow-on behaviors — determining whether to fully deploy a payload, escalate privileges, or target a specific high-value user account.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1033 System Owner/User Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1033/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
(
(Image="*\\whoami.exe" AND (CommandLine="*/all*" OR CommandLine="*/groups*" OR CommandLine="*/priv*" OR CommandLine="*/fo*"))
OR (Image="*\\query.exe" OR Image="*\\qwinsta.exe" OR Image="*\\quser.exe")
OR (Image="*\\wmic.exe" AND (CommandLine="*useraccount*" OR CommandLine="*UserAccount*"))
OR (Image="*\\net.exe" AND (CommandLine="*user /domain*" OR CommandLine="*localgroup administrators*" OR CommandLine="*group /domain*"))
OR (Image="*\\net1.exe" AND (CommandLine="*user /domain*" OR CommandLine="*localgroup administrators*"))
OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*Get-LocalUser*" OR CommandLine="*Get-ADUser*" OR CommandLine="*Win32_UserAccount*" OR CommandLine="*WindowsIdentity*" OR CommandLine="*whoami*"))
)
| eval SuspiciousParent=if(match(ParentImage, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe|msbuild\.exe|installutil\.exe)$"), 1, 0)
| eval EnrichedFlags=if(match(lower(CommandLine), "(/all|/groups|/priv|/fo|useraccount|get-localuser|get-aduser|windowsidentity)"), 1, 0)
| eval HighPriv=if(match(lower(User), "(system|administrator|admin)"), 1, 0)
| eval RiskScore=SuspiciousParent + EnrichedFlags + HighPriv
| where RiskScore >= 1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SuspiciousParent, EnrichedFlags, HighPriv, RiskScore
| sort - RiskScore, - _timeDetects user discovery commands via Sysmon Event ID 1 (Process Creation). Captures whoami with enumeration flags, query/qwinsta/quser, wmic useraccount, net user domain queries, and PowerShell user enumeration cmdlets. Assigns a cumulative RiskScore based on suspicious parent process origin, enriched command-line flags, and high-privilege execution context. Events with RiskScore >= 1 are surfaced to reduce noise from bare whoami calls.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT helpdesk staff and administrators troubleshooting user sessions on RDS or shared servers
- Configuration management agents running user enumeration as part of inventory or compliance baselines
- Vulnerability scanners performing authenticated user enumeration during scheduled scans
- Monitoring agents collecting user session metadata for asset tracking and inventory platforms
- Developer and CI/CD automation resolving current user context during build or test steps
Other platforms for T1033
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Whoami Full Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\whoami.exe, CommandLine='whoami /all', ParentImage=cmd.exe or calling shell. Security Event ID 4688 if command line auditing is enabled. No network events expected.
- Test 2Query Active User Sessions
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\query.exe, CommandLine='query user'. Alternatively may appear as quser.exe. Security Event ID 4688 with command line auditing enabled.
- Test 3WMI User Account Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\wbem\wmic.exe, CommandLine containing 'useraccount get'. No network events if targeting local system. Security Event ID 4688 with full command line if auditing is enabled.
- Test 4Linux Multi-Command User Discovery
Expected signal: Linux auditd: SYSCALL records for execve of /usr/bin/whoami, /usr/bin/id, /usr/bin/w, /usr/bin/who, /usr/bin/last, /bin/cat with respective arguments. Syslog entries if auditd is configured to log to syslog. On systems with Sysmon for Linux: EventType=ProcessCreate for each command.
- Test 5PowerShell Active Directory User Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_UserAccount'. PowerShell ScriptBlock Logging Event ID 4104 in Microsoft-Windows-PowerShell/Operational log with full script content. No AD network queries for local account enumeration.
References (10)
- https://attack.mitre.org/techniques/T1033/
- https://attack.mitre.org/tactics/TA0007/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml
- https://www.secureworks.com/research/karagany-backdoor
- https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
- https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
- https://securelist.com/shadowpad-in-corporate-networks/81432/
- https://us-cert.cisa.gov/ncas/alerts/aa20-239a
Unlock Pro Content
Get the full detection package for T1033 including response playbook, investigation guide, and atomic red team tests.