Post

WHOAMI

Posted Updated
By ashizZz 2 min read

Adversaries may use the “whoami” command to quickly identify the current user on a compromised system, helping them assess privileges and plan further attacks. However, it’s important to note that this is just a basic step in their reconnaissance process. There are different approaches to executing the “whoami” command.

CMD Prompt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

whoami
 
whoami /all
 
set
 
echo %username%
 
tasklist /v
 
cmd %username%
 
dsregcmd /status
 
klist
 
cmd.exe /c echo %username%

Powershell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

[Environment]::UserName
 
$env:USERNAME
 
gci env:* | sort-object name
 
ls env:USERNAME
 
gci env:USERNAME
 
gci env:*
 
ls env:*
 
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

$(Get-WMIObject -class Win32_ComputerSystem | select username).username
Write-Host $(whoami)
 
[String] ${stUserDomain},[String] ${stUserAccount} = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split("\")
 
$username=( ( Get-WMIObject -class Win32_ComputerSystem | Select-Object -ExpandProperty username ) -split '\\' )[1]
 
 
$sig = @'
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool GetUserName(System.Text.StringBuilder sb, ref Int32 length);
'@
 
Add-Type -MemberDefinition $sig -Namespace Advapi32 -Name Util
 
$size = 64
$str = New-Object System.Text.StringBuilder -ArgumentList $size

 
[Advapi32.util]::GetUserName($str, [ref]$size) |Out-Null
$str.ToString()

More CMD Prompts

1
2
3
4
5
6
7
8
9
10
11
12
13

tasklist /v
 
dsregcmd /status
 
klist
 
wmic.exe computersystem get username
 
reg query "HKCU\Volatile Environment" /v USERNAME
 
reg query "HKCU\Volatile Environment" /v USERPROFILE
 
Get-ItemProperty -Path 'HKCU:\Volatile Environment\' -Name USERNAME | Select-Object USERNAME

LOLBINS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

 tasklist /v
 
 dsregcmd /status
 
 klist
 
 wmic.exe computersystem get username

 
 reg query "HKCU\Volatile Environment" /v `USERNAME
 
reg query "HKCU\Volatile Environment" /v USERPROFILE`
 
 
Get-ItemProperty -Path 'HKCU:\Volatile Environment\' -Name USERNAME | Select-Object USERNAME
 
$id = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -ExpandProperty ID
 
$processinfo = (Get-WmiObject -Class Win32_Process -Filter "Handle=$id").GetOwner()
 
$processinfo | select-object -property User
 
$id = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -ExpandProperty ID
 
$processinfo = (Get-WmiObject -Class Win32_Process -Filter "Handle=$id").GetOwner()
 
$processinfo | select-object -property User
 
(Get-LocalUser -Name $env:USERNAME | Select-Object sid).sid
(Get-ItemProperty `"HKCU:\\Software\\Microsoft\\Office\\Common\\UserInfo\").UserName`

Other ways

1
2
3
4

wmic useraccount where name='%username%' get sid
wmic useraccount where sid='XXXXXXXXXXXX' get name
 
gpresult /R /Z

Directly Calling Methods

https://learn.microsoft.com/en-us/windows/win32/api/rpcndr/nf-rpcndr-ndrclientcall3

https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-rtl_user_process_parameters

https://learn.microsoft.com/en-us/windows/win32/api/iads/nn-iads-iadswinntsysteminfo

Credit https://twitter.com/UK_Daniel_Card

Discovery
User Discovery
This post is licensed under CC BY 4.0 by the author.