Esc
System Owner/User Discovery - T1033
(ATT&CK® Technique)
Definition
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1033["System Owner/User Discovery"] --> |may-access| ProcessSegment["Process Segment"]; class T1033 OffensiveTechniqueNode;
class ProcessSegment ArtifactNode; click ProcessSegment href "/dao/artifact/d3f:ProcessSegment";
click T1033 href "/offensive-technique/attack/T1033/"; click ProcessSegment href "/dao/artifact/d3f:ProcessSegment"; T1033["System Owner/User Discovery"] --> |may-invoke| CopyToken["Copy Token"]; class T1033 OffensiveTechniqueNode;
class CopyToken ArtifactNode; click CopyToken href "/dao/artifact/d3f:CopyToken";
click T1033 href "/offensive-technique/attack/T1033/"; click CopyToken href "/dao/artifact/d3f:CopyToken"; T1033["System Owner/User Discovery"] --> |may-invoke| CreateProcess["Create Process"]; class T1033 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1033 href "/offensive-technique/attack/T1033/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1033["System Owner/User Discovery"] --> |may-access| PasswordFile["Password File"]; class T1033 OffensiveTechniqueNode;
class PasswordFile ArtifactNode; click PasswordFile href "/dao/artifact/d3f:PasswordFile";
click T1033 href "/offensive-technique/attack/T1033/"; click PasswordFile href "/dao/artifact/d3f:PasswordFile"; T1033["System Owner/User Discovery"] --> |may-access| GetSystemConfigValue["Get System Config Value"]; class T1033 OffensiveTechniqueNode;
class GetSystemConfigValue ArtifactNode; click GetSystemConfigValue href "/dao/artifact/d3f:GetSystemConfigValue";
click T1033 href "/offensive-technique/attack/T1033/"; click GetSystemConfigValue href "/dao/artifact/d3f:GetSystemConfigValue"; T1033["System Owner/User Discovery"] --> |may-access| DirectoryService["Directory Service"]; class T1033 OffensiveTechniqueNode;
class DirectoryService ArtifactNode; click DirectoryService href "/dao/artifact/d3f:DirectoryService";
click T1033 href "/offensive-technique/attack/T1033/"; click DirectoryService href "/dao/artifact/d3f:DirectoryService"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1033["System Owner/User Discovery"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | GetSystemConfigValue["Get System Config Value"];
class SystemCallAnalysis DefensiveTechniqueNode;
class GetSystemConfigValue ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | DirectoryService["Directory Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1033["System Owner/User Discovery"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | DirectoryService["Directory Service"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1033["System Owner/User Discovery"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CopyToken["Copy Token"];
class SystemCallAnalysis DefensiveTechniqueNode;
class CopyToken ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | PasswordFile["Password File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1033["System Owner/User Discovery"] ;
class DecoyFile DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | PasswordFile["Password File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1033["System Owner/User Discovery"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | PasswordFile["Password File"];
FileEviction["File Eviction"] -.->
| may-evict | T1033["System Owner/User Discovery"] ;
class FileEviction DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; ProcessSuspension["Process Suspension"] -->
| suspends | DirectoryService["Directory Service"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1033["System Owner/User Discovery"] ;
class ProcessSuspension DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; ProcessTermination["Process Termination"] -->
| terminates | DirectoryService["Directory Service"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1033["System Owner/User Discovery"] ;
class ProcessTermination DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; HostShutdown["Host Shutdown"] -->
| terminates | DirectoryService["Directory Service"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1033["System Owner/User Discovery"] ;
class HostShutdown DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -->
| neutralizes | ProcessSegment["Process Segment"];
ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.->
| may-harden | T1033["System Owner/User Discovery"] ;
class ProcessSegmentExecutionPrevention DefensiveTechniqueNode;
class ProcessSegment ArtifactNode;
click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -->
| obfuscates | ProcessSegment["Process Segment"];
SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.->
| may-harden | T1033["System Owner/User Discovery"] ;
class SegmentAddressOffsetRandomization DefensiveTechniqueNode;
class ProcessSegment ArtifactNode;
click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization"; FileEncryption["File Encryption"] -->
| encrypts | PasswordFile["Password File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1033["System Owner/User Discovery"] ;
class FileEncryption DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; DomainTrustPolicy["Domain Trust Policy"] -->
| restricts | DirectoryService["Directory Service"];
DomainTrustPolicy["Domain Trust Policy"] -.->
| may-isolate | T1033["System Owner/User Discovery"] ;
class DomainTrustPolicy DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click DomainTrustPolicy href "/technique/d3f:DomainTrustPolicy"; LocalFilePermissions["Local File Permissions"] -->
| restricts | PasswordFile["Password File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1033["System Owner/User Discovery"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | DirectoryService["Directory Service"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1033["System Owner/User Discovery"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | DirectoryService["Directory Service"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1033["System Owner/User Discovery"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | DirectoryService["Directory Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1033["System Owner/User Discovery"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1033["System Owner/User Discovery"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1033["System Owner/User Discovery"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; SystemCallFiltering["System Call Filtering"] -->
| filters | GetSystemConfigValue["Get System Config Value"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1033["System Owner/User Discovery"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class GetSystemConfigValue ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| filters | CopyToken["Copy Token"];
class SystemCallFiltering DefensiveTechniqueNode;
class CopyToken ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| isolates | DirectoryService["Directory Service"];
class SystemCallFiltering DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreFile["Restore File"] -->
| restores | PasswordFile["Password File"];
RestoreFile["Restore File"] -.->
| may-restore | T1033["System Owner/User Discovery"] ;
class RestoreFile DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
| restores | PasswordFile["Password File"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1033["System Owner/User Discovery"] ;
class RestoreDatabase DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; FileAnalysis["File Analysis"] -->
| analyzes | PasswordFile["Password File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1033["System Owner/User Discovery"] ;
class FileAnalysis DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; HostReboot["Host Reboot"] -->
| terminates | DirectoryService["Directory Service"];
HostReboot["Host Reboot"] -.->
| may-evict | T1033["System Owner/User Discovery"] ;
class HostReboot DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | DirectoryService["Directory Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1033["System Owner/User Discovery"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | PasswordFile["Password File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1033["System Owner/User Discovery"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | DirectoryService["Directory Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1033["System Owner/User Discovery"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class DirectoryService ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation";