Skip to content
Threat Feed
low advisory

Local Account and System Owner Discovery via Native Utilities

Threat actors utilize built-in Windows utilities like whoami, wmic, and net to perform local account and system owner discovery, a common post-exploitation reconnaissance technique facilitating privilege escalation and lateral movement.

This brief details a common post-exploitation reconnaissance technique used by threat actors to discover local user accounts and system owner information on compromised Windows systems. Adversaries employ built-in operating system utilities such as whoami.exe, quser.exe, qwinsta.exe, wmic.exe, cmdkey.exe, cmd.exe, and net.exe to gather intelligence about the environment. This activity, while benign in some administrative contexts, is a crucial step in an attacker's kill chain, enabling them to identify potential targets for privilege escalation, lateral movement, or to understand the scope of their access. This technique is often observed after initial access has been gained and before further actions on objectives are pursued.

Attack Chain

  1. Initial Access: A threat actor gains initial access to a Windows system, often via a phishing email with a malicious attachment or exploitation of a vulnerable internet-facing service.
  2. Execution: Malware or a shellcode payload is executed, establishing a foothold on the compromised machine and executing a command.
  3. Persistence: The attacker establishes persistence mechanisms, such as creating a new scheduled task or modifying a Run key, to maintain access across reboots.
  4. Local Account Discovery: Using utilities like whoami.exe, wmic.exe useraccount get, cmdkey.exe /l, cmd.exe /c dir \Users\, or net.exe user, the attacker enumerates local user accounts, logged-on users, and cached credentials to understand the local user landscape. This step is the focus of the detection.
  5. Privilege Escalation: Based on discovered information (e.g., identifying unpatched software, weak passwords, or privileged users), the attacker attempts to escalate privileges to gain administrative rights on the system.
  6. Lateral Movement: With elevated privileges, the attacker moves to other systems within the network, often by exploiting discovered credentials or misconfigurations.
  7. Data Exfiltration / Impact: The attacker achieves their final objective, such as exfiltrating sensitive data, deploying ransomware, or disrupting operations.

Impact

Failure to detect and respond to local account discovery can allow adversaries to gain a deeper understanding of the compromised environment, leading to successful privilege escalation and lateral movement. This reconnaissance phase is critical for attackers to identify high-value targets, gather credentials, and expand their access within an organization. The ultimate impact can range from data exfiltration and intellectual property theft to ransomware deployment, significant operational disruption, and severe financial and reputational damage. While discovery itself is not destructive, it directly facilitates more damaging subsequent stages of an attack.

Recommendation

  • Deploy the provided Sigma rule in this brief to your SIEM and tune it for your environment.
  • Enable Sysmon process creation logging to activate the rule above, ensuring Image, CommandLine, and OriginalFileName fields are captured.
  • Review alerts generated by the Sigma rule for execution of whoami.exe, quser.exe, qwinsta.exe, wmic.exe with useraccount get, cmdkey.exe /l, cmd.exe /c dir \Users\, and net.exe user from unusual processes or user contexts.
  • Implement Endpoint Detection and Response (EDR) solutions to monitor and alert on suspicious usage of built-in Windows utilities, particularly when invoked in unusual sequences or from unexpected parent processes.

Detection coverage 1

Local Accounts and System Owner Discovery

low

Detects local accounts, system owner, and user discovery using operating system utilities like whoami, quser, wmic, cmdkey, cmd, and net.

sigma tactics: discovery techniques: T1033, T1087.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →