WHOAMI
Adversaries may use the “whoami” command to quickly identify the current user on a compromised system, helping them assess privileges and plan further attacks. However, it’s important to note that this is just a basic step in their reconnaissance process. There are different approaches to executing the “whoami” command.
CMD Prompt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
whoami
whoami /all
set
echo %username%
tasklist /v
cmd %username%
dsregcmd /status
klist
cmd.exe /c echo %username%
Powershell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[Environment]::UserName
$env:USERNAME
gci env:* | sort-object name
ls env:USERNAME
gci env:USERNAME
gci env:*
ls env:*
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$(Get-WMIObject -class Win32_ComputerSystem | select username).username
Write-Host $(whoami)
[String] ${stUserDomain},[String] ${stUserAccount} = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split("\")
$username=( ( Get-WMIObject -class Win32_ComputerSystem | Select-Object -ExpandProperty username ) -split '\\' )[1]
$sig = @'
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool GetUserName(System.Text.StringBuilder sb, ref Int32 length);
'@
Add-Type -MemberDefinition $sig -Namespace Advapi32 -Name Util
$size = 64
$str = New-Object System.Text.StringBuilder -ArgumentList $size
[Advapi32.util]::GetUserName($str, [ref]$size) |Out-Null
$str.ToString()
More CMD Prompts
1
2
3
4
5
6
7
8
9
10
11
12
13
tasklist /v
dsregcmd /status
klist
wmic.exe computersystem get username
reg query "HKCU\Volatile Environment" /v USERNAME
reg query "HKCU\Volatile Environment" /v USERPROFILE
Get-ItemProperty -Path 'HKCU:\Volatile Environment\' -Name USERNAME | Select-Object USERNAME
LOLBINS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
tasklist /v
dsregcmd /status
klist
wmic.exe computersystem get username
reg query "HKCU\Volatile Environment" /v `USERNAME
reg query "HKCU\Volatile Environment" /v USERPROFILE`
Get-ItemProperty -Path 'HKCU:\Volatile Environment\' -Name USERNAME | Select-Object USERNAME
$id = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -ExpandProperty ID
$processinfo = (Get-WmiObject -Class Win32_Process -Filter "Handle=$id").GetOwner()
$processinfo | select-object -property User
$id = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -ExpandProperty ID
$processinfo = (Get-WmiObject -Class Win32_Process -Filter "Handle=$id").GetOwner()
$processinfo | select-object -property User
(Get-LocalUser -Name $env:USERNAME | Select-Object sid).sid
(Get-ItemProperty `"HKCU:\\Software\\Microsoft\\Office\\Common\\UserInfo\").UserName`
Other ways
1
2
3
4
wmic useraccount where name='%username%' get sid
wmic useraccount where sid='XXXXXXXXXXXX' get name
gpresult /R /Z
Directly Calling Methods
https://learn.microsoft.com/en-us/windows/win32/api/rpcndr/nf-rpcndr-ndrclientcall3
https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-rtl_user_process_parameters
https://learn.microsoft.com/en-us/windows/win32/api/iads/nn-iads-iadswinntsysteminfo
Credit https://twitter.com/UK_Daniel_Card
This post is licensed under CC BY 4.0 by the author.