Detects a set of suspicious network related commands often used in recon stages

Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation

Detects the execution of whoami.exe with suspicious parent processes.

Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use.

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

Detects the execution of whoami that has been renamed to a different name to avoid detection

Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)