Whoami.EXE Execution From Privileged Process

Oct 1, 2024 · attack.privilege-escalation attack.discovery attack.t1033 ·

Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors

Sigma rule (View on GitHub)

 1title: Whoami.EXE Execution From Privileged Process
 2id: 79ce34ca-af29-4d0e-b832-fc1b377020db
 3related:
 4    - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
 5      type: obsolete
 6status: test
 7description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
 8references:
 9    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
10    - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
11author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
12date: 2022-01-28
13modified: 2023-12-04
14tags:
15    - attack.privilege-escalation
16    - attack.discovery
17    - attack.t1033
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - OriginalFileName: 'whoami.exe'
24        - Image|endswith: '\whoami.exe'
25    selection_user:
26        User|contains:
27            - 'AUTHORI'
28            - 'AUTORI'
29            - 'TrustedInstaller'
30    condition: all of selection_*
31falsepositives:
32    - Unknown
33level: high

References

Hunting for Privilege Escalation in Windows Environment

Slides from my talk at the OFFZONE 2018 conference (https://www.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/)

Read More
NSudo | System Administration Toolkit | NSudo

System Administration Toolkit

Read More

Whoami.EXE Execution From Privileged Process

Sigma rule (View on GitHub)

References

Hunting for Privilege Escalation in Windows Environment

NSudo | System Administration Toolkit | NSudo

Related rules