Security Privileges Enumeration Via Whoami.EXE
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
Sigma rule (View on GitHub)
1title: Security Privileges Enumeration Via Whoami.EXE
2id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
3status: test
4description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
5references:
6 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
7author: Florian Roth (Nextron Systems)
8date: 2021-05-05
9modified: 2023-02-28
10tags:
11 - attack.privilege-escalation
12 - attack.discovery
13 - attack.t1033
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\whoami.exe'
20 - OriginalFileName: 'whoami.exe'
21 selection_cli:
22 CommandLine|contains:
23 - ' /priv'
24 - ' -priv'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Potential Dridex Activity
- Cisco Discovery
- Computer Discovery And Export Via Get-ADComputer Cmdlet
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- Enumerate All Information With Whoami.EXE