Enumerate All Information With Whoami.EXE

 1title: Enumerate All Information With Whoami.EXE
 2id: c248c896-e412-4279-8c15-1c558067b6fa
 3status: experimental
 4description: Detects the execution of "whoami.exe" with the "/all" flag
 5references:
 6    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
 7    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
 8    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2023-12-04
11modified: 2024-03-05
12tags:
13    - attack.discovery
14    - attack.t1033
15    - car.2016-03-001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_main_img:
21        - Image|endswith: '\whoami.exe'
22        - OriginalFileName: 'whoami.exe'
23    selection_main_cli:
24        CommandLine|contains|windash: ' -all'
25    condition: all of selection_main_*
26falsepositives:
27    - Unknown
28level: medium

References

• https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/

  
  Read More

• Analysis SwiftPayment Recipt_Protected.iso (MD5: D78950F87C18713DE8CFC9FC2D617D5E) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• YouTube

  

  Share your videos with friends, family, and the world

  
  Read More

Related rules

• HackTool - SharpLdapWhoami Execution
• Renamed Whoami Execution
• WhoAmI as Parameter
• Whoami Utility Execution
• Cisco Discovery