Whoami.EXE Execution With Output Option

 1title: Whoami.EXE Execution With Output Option
 2id: c30fb093-1109-4dc8-88a8-b30d11c95a5d
 3status: experimental
 4description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
 5references:
 6    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
 7    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
 8    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2023/02/28
11modified: 2023/12/04
12tags:
13    - attack.discovery
14    - attack.t1033
15    - car.2016-03-001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_main_img:
21        - Image|endswith: '\whoami.exe'
22        - OriginalFileName: 'whoami.exe'
23    selection_main_cli:
24        CommandLine|contains:
25            - ' /FO CSV'
26            - ' -FO CSV'
27    selection_special:
28        CommandLine|contains: 'whoami*>'
29    condition: all of selection_main_* or selection_special
30falsepositives:
31    - Unknown
32level: medium

References

• https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/

  
  Read More

• Analysis SwiftPayment Recipt_Protected.iso (MD5: D78950F87C18713DE8CFC9FC2D617D5E) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• YouTube

  

  Share your videos with friends, family, and the world

  
  Read More

Related rules

• Whoami Utility Execution
• Whoami.EXE Execution Anomaly
• HackTool - SharpLdapWhoami Execution
• Renamed Whoami Execution
• WhoAmI as Parameter