Whoami Recon Writing Output to File
SocGholish employs several scripted reconnaissance commands. While much of this activity occurs in memory, one that stands out is the execution of whoami with the output redirected to a local temp file with the naming convention rad<5-hex-chars>.tmp. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Whoami Recon Writing Output to File
2id: abcdf274-2fbd-4736-a16b-032fcac54eee
3status: experimental
4description: |
5 SocGholish employs several scripted reconnaissance commands. While much of this activity
6 occurs in memory, one that stands out is the execution of whoami with the output redirected
7 to a local temp file with the naming convention rad<5-hex-chars>.tmp. Part of the RedCanary
8 2024 Threat Detection Report.
9references:
10 - https://redcanary.com/threat-detection-report/threats/socgholish/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14 - attack.discovery
15 - attack.t1033
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith: '\wscript.exe'
22 Image|endswith: '\cmd.exe'
23 CommandLine|contains: 'whoami /all >>'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low```
References
-
SocGholish leverages drive-by-downloads masquerading as software updates to trick visitors of compromised websites into executing malware.
Read More
Related rules
- SocGholish Script File Whoami Output to File (RedCanary Threat Detection Report)
- Enumerating Domain Trust Relationships with Nltest.exe
- WMI Reconnaissance
- AdFind Discovery
- Invoke-ShareFinder Discovery Activity