Atomic Test #7 — System Owner/User Discovery Using Command Prompt

Sai Prashanth Pulisetti
3 min readJan 22, 2024

--

System Owner/User Discovery Using Command Prompt

In the complex landscape of cybersecurity, understanding the intricacies of your operating environment is crucial. One key aspect of this is identifying who is using a system. This knowledge is not only fundamental for system administrators but also for cybersecurity professionals engaged in threat hunting and incident response. In this context, I present Atomic Test #7, a procedure designed for the Windows platform to discover system owners or current users.

The Atomic Test #7 Overview

Atomic Test #7 is a procedure designed for Windows systems. It uses native command prompt utilities to identify the system owner or current user. The beauty of this test lies in its simplicity and the utilization of built-in Windows tools. The unique identifier for this test is its auto-generated GUID: ba38e193–37a6–4c41-b214–61b33277fe36.

Inputs and Attack Commands

The test requires a simple input: the location of the output file, which by default is $env:temp. The attack commands are a series of Windows Command Prompt instructions designed to extract user information:

  1. set file=#{output_file_path}\user_info_%random%.tmp - This command sets the location and name of the temporary file where the user information will be stored. The use of %random% ensures that each file has a unique identifier.
  2. echo Username: %USERNAME% > %file% - This command outputs the username of the current user to the file.
  3. echo User Domain: %USERDOMAIN% >> %file% - Similar to the previous command, this line adds the domain of the current user to the same file.
  4. net users >> %file% - This command lists all users on the local machine or domain, appending the information to the file.
  5. query user >> %file% - It provides details about the users logged onto the system, further appending to the file.
- name: "System Owner/User Discovery Using Command Prompt"
description: "Identify the system owner or current user using native Windows command prompt utilities."
supported_platforms:
- "windows"
auto_generated_guid: "9f12ab45-c332-4f5a-8e9b-6c81a8343e2e"
input_arguments:
output_file_path:
description: "Location of output file."
type: "string"
default: "$env:temp"
executor:
name: "command_prompt"
elevation_required: false
command: |
set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%
cleanup_command: |
del #{output_file_path}\\user_info_*.tmp

Practical Application

Atomic Test #7 is invaluable for system administrators and cybersecurity professionals. It enables quick identification of users, which is crucial in incident response scenarios where understanding the scope of a breach or the status of a system is critical. For instance, in a situation where unauthorized access is suspected, quickly identifying all active and historical user accounts can be instrumental in containing and mitigating the issue.

Cleanup Process

After the test, it’s essential to clean up. The command del #{output_file_path}\\user_info_*.tmp is used to delete the temporary files created during the test. This step ensures that no residual data is left that could be misused or cause confusion in future tests.

Conclusion

Atomic Test #7 for Windows is a straightforward yet powerful tool in the arsenal of cybersecurity professionals and system administrators. It leverages native tools to extract vital user information, playing a pivotal role in threat hunting and incident response strategies. By integrating such tests into regular cybersecurity protocols, organizations can enhance their preparedness against potential threats.

Call to Action

I invite all readers to share their experiences, insights, or any additional thoughts on the utilization of such atomic tests in the comments below. Let’s learn and grow together in our journey towards a more secure cyber environment.

Reference:

--

--

Sai Prashanth Pulisetti
Sai Prashanth Pulisetti

Written by Sai Prashanth Pulisetti

A security geek with 3 years of experience in various security tools and methodologies. I expedite analysing malware samples in both static & dynamic analysis.

No responses yet