User Discovery via Whoami
The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for
11privileged access.
12"""
13false_positives = [
14 """
15 Security testing tools and frameworks may run this command. Some normal use of this command may originate from
16 automation tools and frameworks.
17 """,
18]
19from = "now-9m"
20index = ["auditbeat-*", "logs-endpoint.events.*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "User Discovery via Whoami"
24risk_score = 21
25rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9"
26severity = "low"
27tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.category:process and event.type:(start or process_started) and process.name:whoami
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1033"
40name = "System Owner/User Discovery"
41reference = "https://attack.mitre.org/techniques/T1033/"
42
43
44[rule.threat.tactic]
45id = "TA0007"
46name = "Discovery"
47reference = "https://attack.mitre.org/tactics/TA0007/"
Related rules
- Base64 Encoding/Decoding Activity
- Hex Encoding/Decoding Activity
- Mknod Process Activity
- Network Sniffing via Tcpdump
- Nmap Process Activity