Techniques
Sample rules
Windows System User Discovery Via Quser
- source: splunk
- technicques:
- T1033
Description
The following analytic identifies a process execution of Windows OS quser.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather information about user sessions on a Remote Desktop Session Host server. This command can find out if a specific user is logged on to a specific Remote Desktop Session Host server. This tool can retrieve some RDP information that can be use by attacker for further attack like Name of the user , Name of the session on the Remote Desktop Session Host server, Session ID, State of the session (active or disconnected), Idle time (the number of minutes since the last keystroke or mouse movement at the session) and Date and time the user logged on.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="quser.exe" OR Processes.original_file_name = "quser.exe" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_user_discovery_via_quser_filter`