title: System Owner/User Discovery (T1033)
id: df00tech-t1033
status: experimental
description: "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this by retrieving account usernames via built-in OS utilities such as whoami, query user, qwinsta, w, who, and id, or by querying environment variables, WMI, and Active Directory. The information is used during automated discovery to shape follow-on behaviors — determining whether to fully deploy a payload, escalate privileges, or target a specific high-value user account."
references:
  - https://attack.mitre.org/techniques/T1033/
  - https://df00tech.com/detections/T1033
author: df00tech
date: 2026/04/16
tags:
  - attack.t1033
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT helpdesk and system administrators routinely running whoami or query user when troubleshooting user sessions on RDS/Terminal Server hosts
  - "Software deployment and configuration management agents (SCCM, Ansible, Chef, Puppet) that enumerate local users as part of compliance checks"
  - "Vulnerability scanners and security baselines tools (Nessus, Tenable.io, CIS-CAT) that query user accounts during authenticated scans"
  - "Monitoring and SIEM agents that collect user session data for asset inventory (e.g., Tanium, BigFix, Qualys Cloud Agent)"
  - Developer tooling and CI/CD pipelines that resolve the current user context during build or deployment steps
level: low