MITRE ATT&CK Technique
Description
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information. On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:35.733Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to identify the primary user, '
'currently logged in user, set of users that commonly uses a '
'system, or whether a user is actively using the system. They '
'may do this, for example, by retrieving account usernames or '
'by using [OS Credential '
'Dumping](https://attack.mitre.org/techniques/T1003). The '
'information may be collected in a number of different ways '
'using other Discovery techniques, because user and username '
'details are prevalent throughout a system and include running '
'process ownership, file/directory ownership, session '
'information, and system logs. Adversaries may use the '
'information from [System Owner/User '
'Discovery](https://attack.mitre.org/techniques/T1033) during '
'automated discovery to shape follow-on behaviors, including '
'whether or not the adversary fully infects the target and/or '
'attempts specific actions.\n'
'\n'
'Various utilities and commands may acquire this information, '
'including <code>whoami</code>. In macOS and Linux, the '
'currently logged in user can be identified with '
'<code>w</code> and <code>who</code>. On macOS the <code>dscl '
". list /Users | grep -v '_'</code> command can also be used "
'to enumerate user accounts. Environment variables, such as '
'<code>%USERNAME%</code> and <code>$USER</code>, may also be '
'used to access this information.\n'
'\n'
'On network devices, [Network Device '
'CLI](https://attack.mitre.org/techniques/T1059/008) commands '
'such as `show users` and `show ssh` can be used to display '
'users currently logged into the device.(Citation: '
'show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network '
'Infrastructure Devices 2018)',
'external_references': [{'external_id': 'T1033',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1033'},
{'description': 'Cisco. (2023, March 7). Cisco IOS '
'Security Command Reference: Commands '
'S to Z . Retrieved July 13, 2022.',
'source_name': 'show_ssh_users_cmd_cisco',
'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html'},
{'description': 'US-CERT. (2018, April 20). Russian '
'State-Sponsored Cyber Actors '
'Targeting Network Infrastructure '
'Devices. Retrieved October 19, 2020.',
'source_name': 'US-CERT TA18-106A Network '
'Infrastructure Devices 2018',
'url': 'https://us-cert.cisa.gov/ncas/alerts/TA18-106A'}],
'id': 'attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-24T17:48:20.366Z',
'name': 'System Owner/User Discovery',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Austin Clark, @c2defense'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Network Devices', 'Windows'],
'x_mitre_version': '1.6'}