Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

Read More

Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use.

Read More

Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells

Read More

Detects certain command line parameters often used during reconnaissance activity via web shells

Read More

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

Read More

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Read More

Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.

Read More

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Read More

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Read More

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Read More

Detects the use of PowerShell to identify the current logged user.

Read More

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Read More

Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

Read More

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Read More

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

Read More

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

Read More

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

Read More

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

Read More

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

Read More

Detects potential Dridex acitvity via specific process patterns

Read More

Detects wscript spawning CMD which in turn runs whoami, with the output of the command directed to a file. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects querying of Windows Security log for account activity

Read More

Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.

Read More

Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.

Read More

Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors

Read More

Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation

Read More

Detects the execution of whoami.exe with suspicious parent processes.

Read More

Local accounts, System Owner/User discovery using operating systems utilities

Read More

Detects the execution of whoami that has been renamed to a different name to avoid detection

Read More

Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)

Read More

Find information about network devices that is not stored in config files

Read More

Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Read More