Once on a victim's system, adversaries will perform user discovery to determine information, such as the primary user’s identity and capabilities. They may seek out users with access to remote systems so they can cast their net wider. Discover the attacker instead of the other way around with this dynamic, lab-based course!
Adversaries will attempt to identify the system owner and perform user discovery in support of the overall Discovery tactic. They may do this by pulling account usernames or using credential dumping. They will search for process ownership, directory ownership, and other important information that is available in system logs. By learning who target users are and what their capabilities may be, attackers can plan their next steps. Threat actors like FIN10 have been known to use Meterpreter to enumerate users on remote systems.
It is important to be able to detect this type of activity because mitigating it is difficult, given that it involves abusing normal system features.
Get the hands-on skills you need to detect and mitigate this attack in Cybrary's MITRE ATT&CK Framework courses aligned to the tactics and techniques used by the financially motivated threat group FIN10. Prevent adversaries from accomplishing the tactic of Discovery in your environment today.
Complete this entire course to earn a User Discovery Certificate of Completion