Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation
Read MoreDetects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use.
Read MoreDetects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
Read MoreDetects the execution of whoami that has been renamed to a different name to avoid detection
Read MoreDetects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
Read More