Renamed Whoami Execution

Feb 1, 2023 · attack.discovery attack.t1033 car.2016-03-001 ·

Detects the execution of whoami that has been renamed to a different name to avoid detection

Sigma rule (View on GitHub)

 1title: Renamed Whoami Execution
 2id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
 3status: test
 4description: Detects the execution of whoami that has been renamed to a different name to avoid detection
 5references:
 6    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
 7    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
 8author: Florian Roth (Nextron Systems)
 9date: 2021/08/12
10modified: 2022/10/09
11tags:
12    - attack.discovery
13    - attack.t1033
14    - car.2016-03-001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        OriginalFileName: 'whoami.exe'
21    filter:
22        Image|endswith: '\whoami.exe'
23    condition: selection and not filter
24falsepositives:
25    - Unknown
26level: critical

References

https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/

Read More
Analysis SwiftPayment Recipt_Protected.iso (MD5: D78950F87C18713DE8CFC9FC2D617D5E) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Read More

Renamed Whoami Execution

Sigma rule (View on GitHub)

References

https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/

Analysis SwiftPayment Recipt_Protected.iso (MD5: D78950F87C18713DE8CFC9FC2D617D5E) Malicious activity - Interactive analysis ANY.RUN

Related rules