We're updating the issue view to help you get more done. 

System Owner/User Discovery

Description

  1.  

    1.  

      1. Windows

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

  1.  

    1.  

      1. Mac

On Mac, the currently logged in user can be identified with <code>users</code>,<code>w</code>, and <code>who</code>.

  1.  

    1.  

      1. Linux

On Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>.

id

T1033

tactic

discovery

datasources

Process command-line parameters
Process monitoring
File monitoring

maturity

Not Tracked

Assignee

Unassigned
Configure