Whoami.EXE Execution From Privileged Process
Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
Sigma rule (View on GitHub)
1title: Whoami.EXE Execution From Privileged Process
2id: 79ce34ca-af29-4d0e-b832-fc1b377020db
3related:
4 - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
5 type: obsoletes
6status: experimental
7description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
8references:
9 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
10 - https://nsudo.m2team.org/en-us/
11author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
12date: 2022/01/28
13modified: 2023/12/04
14tags:
15 - attack.privilege_escalation
16 - attack.discovery
17 - attack.t1033
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - OriginalFileName: 'whoami.exe'
24 - Image|endswith: '\whoami.exe'
25 selection_user:
26 User|contains:
27 - 'AUTHORI'
28 - 'AUTORI'
29 - 'TrustedInstaller'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: high
References
-
Slides from my talk at the OFFZONE 2018 conference (https://www.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/)
Read More
Related rules
- Potential Dridex Activity
- PUA - Process Hacker Execution
- Whoami Utility Execution
- Whoami.EXE Execution Anomaly
- Whoami.EXE Execution With Output Option