Atomic Test #7 — System Owner/User Discovery Using Command Prompt
In the complex landscape of cybersecurity, understanding the intricacies of your operating environment is crucial. One key aspect of this is identifying who is using a system. This knowledge is not only fundamental for system administrators but also for cybersecurity professionals engaged in threat hunting and incident response. In this context, I present Atomic Test #7, a procedure designed for the Windows platform to discover system owners or current users.
The Atomic Test #7 Overview
Atomic Test #7 is a procedure designed for Windows systems. It uses native command prompt utilities to identify the system owner or current user. The beauty of this test lies in its simplicity and the utilization of built-in Windows tools. The unique identifier for this test is its auto-generated GUID: ba38e193–37a6–4c41-b214–61b33277fe36.
Inputs and Attack Commands
The test requires a simple input: the location of the output file, which by default is $env:temp
. The attack commands are a series of Windows Command Prompt instructions designed to extract user information:
set file=#{output_file_path}\user_info_%random%.tmp
- This command sets the location and name of the temporary file where the user information will be stored. The use of%random%
ensures that each file has a unique identifier.echo Username: %USERNAME% > %file%
- This command outputs the username of the current user to the file.echo User Domain: %USERDOMAIN% >> %file%
- Similar to the previous command, this line adds the domain of the current user to the same file.net users >> %file%
- This command lists all users on the local machine or domain, appending the information to the file.query user >> %file%
- It provides details about the users logged onto the system, further appending to the file.
- name: "System Owner/User Discovery Using Command Prompt"
description: "Identify the system owner or current user using native Windows command prompt utilities."
supported_platforms:
- "windows"
auto_generated_guid: "9f12ab45-c332-4f5a-8e9b-6c81a8343e2e"
input_arguments:
output_file_path:
description: "Location of output file."
type: "string"
default: "$env:temp"
executor:
name: "command_prompt"
elevation_required: false
command: |
set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%
cleanup_command: |
del #{output_file_path}\\user_info_*.tmp
Practical Application
Atomic Test #7 is invaluable for system administrators and cybersecurity professionals. It enables quick identification of users, which is crucial in incident response scenarios where understanding the scope of a breach or the status of a system is critical. For instance, in a situation where unauthorized access is suspected, quickly identifying all active and historical user accounts can be instrumental in containing and mitigating the issue.
Cleanup Process
After the test, it’s essential to clean up. The command del #{output_file_path}\\user_info_*.tmp
is used to delete the temporary files created during the test. This step ensures that no residual data is left that could be misused or cause confusion in future tests.
Conclusion
Atomic Test #7 for Windows is a straightforward yet powerful tool in the arsenal of cybersecurity professionals and system administrators. It leverages native tools to extract vital user information, playing a pivotal role in threat hunting and incident response strategies. By integrating such tests into regular cybersecurity protocols, organizations can enhance their preparedness against potential threats.
Call to Action
I invite all readers to share their experiences, insights, or any additional thoughts on the utilization of such atomic tests in the comments below. Let’s learn and grow together in our journey towards a more secure cyber environment.
Reference: