Whoami.EXE Execution With Output Option

calendar Oct 1, 2024 · attack.discovery attack.t1033 car.2016-03-001  ·
Share on: linkedin copy

Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.

Sigma rule (View on GitHub)

 1title: Whoami.EXE Execution With Output Option
 2id: c30fb093-1109-4dc8-88a8-b30d11c95a5d
 3status: test
 4description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
 5references:
 6    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
 7    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
 8    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2023-02-28
11modified: 2023-12-04
12tags:
13    - attack.discovery
14    - attack.t1033
15    - car.2016-03-001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_main_img:
21        - Image|endswith: '\whoami.exe'
22        - OriginalFileName: 'whoami.exe'
23    selection_main_cli:
24        CommandLine|contains:
25            - ' /FO CSV'
26            - ' -FO CSV'
27    selection_special:
28        CommandLine|contains: 'whoami*>'
29    condition: all of selection_main_* or selection_special
30falsepositives:
31    - Unknown
32level: medium

References

Related rules

to-top