WhoAmI as Parameter

Aug 12, 2024 · attack.discovery attack.t1033 car.2016-03-001 ·

Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)

Sigma rule (View on GitHub)

 1title: WhoAmI as Parameter
 2id: e9142d84-fbe0-401d-ac50-3e519fb00c89
 3status: test
 4description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
 5references:
 6    - https://twitter.com/blackarrowsec/status/1463805700602224645?s=12
 7author: Florian Roth (Nextron Systems)
 8date: 2021-11-29
 9modified: 2022-12-25
10tags:
11    - attack.discovery
12    - attack.t1033
13    - car.2016-03-001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains: '.exe whoami'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

x.com

Read More

Related rules

Enumerate All Information With Whoami.EXE
HackTool - SharpLdapWhoami Execution
Renamed Whoami Execution
Whoami Utility Execution
Cisco Discovery

WhoAmI as Parameter

Sigma rule (View on GitHub)

References

x.com

Related rules