car.2016-03-001

Whoami.EXE Execution Anomaly

Apr 7, 2025 · attack.discovery attack.t1033 car.2016-03-001 ·

Share on:

Detects the execution of whoami.exe with suspicious parent processes.

Enumerate All Information With Whoami.EXE

Jan 6, 2025 · attack.discovery attack.t1033 car.2016-03-001 ·

Share on:

Detects the execution of "whoami.exe" with the "/all" flag

Whoami.EXE Execution With Output Option

Oct 1, 2024 · attack.discovery attack.t1033 car.2016-03-001 ·

Share on:

Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.

HackTool - SharpLdapWhoami Execution

Aug 12, 2024 · attack.discovery attack.t1033 car.2016-03-001 ·

Share on:

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

Network Reconnaissance Activity

Aug 12, 2024 · attack.discovery attack.t1087 attack.t1082 car.2016-03-001 ·

Share on:

Detects a set of suspicious network related commands often used in recon stages

Renamed Whoami Execution

Aug 12, 2024 · attack.discovery attack.t1033 car.2016-03-001 ·

Share on:

Detects the execution of whoami that has been renamed to a different name to avoid detection

WhoAmI as Parameter

Aug 12, 2024 · attack.discovery attack.t1033 car.2016-03-001 ·

Share on:

Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)

Whoami Utility Execution

Aug 12, 2024 · attack.discovery attack.t1033 car.2016-03-001 ·

Share on:

Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation

Reconnaissance Activity Using BuiltIn Commands

Apr 21, 2023 · attack.discovery attack.t1087 attack.t1082 car.2016-03-001 ·

Share on:

Detects execution of a set of builtin commands often used in recon stages by different attack groups