Detects querying of Windows Security log for account activity

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.

Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.

Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors

Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation

Detects the execution of whoami.exe with suspicious parent processes.

Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use.

Local accounts, System Owner/User discovery using operating systems utilities

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Detects the execution of whoami that has been renamed to a different name to avoid detection

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Detects certain command line parameters often used during reconnaissance activity via web shells

Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system

Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)

Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

Find information about network devices that is not stored in config files

Detects the use of PowerShell to identify the current logged user.

Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.