Suspicious Whoami.EXE Execution
Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use.
Sigma rule (View on GitHub)
1title: Suspicious Whoami.EXE Execution
2id: c30fb093-1109-4dc8-88a8-b30d11c95a5d
3status: experimental
4description: Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use.
5references:
6 - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
7 - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
8 - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2023/02/28
11modified: 2023/11/10
12tags:
13 - attack.discovery
14 - attack.t1033
15 - car.2016-03-001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_main_img:
21 - Image|endswith: '\whoami.exe'
22 - OriginalFileName: 'whoami.exe'
23 selection_main_cli:
24 CommandLine|contains:
25 - ' -all'
26 - ' /all'
27 - ' /FO CSV'
28 - ' -FO CSV'
29 selection_special:
30 CommandLine|contains: 'whoami*>'
31 condition: all of selection_main_* or selection_special
32falsepositives:
33 - Unknown
34level: high
References
-
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- Whoami Utility Execution
- Whoami.EXE Execution Anomaly
- Renamed Whoami Execution
- WhoAmI as Parameter
- Computer Discovery And Export Via Get-ADComputer Cmdlet