heroui logo

Windows System User Discovery Via Quser

Splunk Security Content

View Source
Summary
The rule 'Windows System User Discovery Via Quser' is designed to detect the execution of the quser.exe tool, commonly employed to gather user session information on Remote Desktop Session Host servers. This detection leverages process execution logs from Endpoint Detection and Response (EDR) agents, specifically targeting Sysmon EventID 1 and Windows Event Log Security 4688 logs. The primary concern with quser.exe is its potential use in post-exploitation scenarios, notably by tools like winpeas during ransomware attacks, where attackers can enumerate current user sessions to gain additional access, maintain persistence, or escalate privileges. Given the increasing prevalence of targeted ransomware attacks, monitoring this command’s use is critical for proactive defense and early detection of intrusions.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • Windows Registry
  • Application Log
ATT&CK Techniques
  • T1033
Created: 2024-11-13