whoami.exe

File Path: C:\WINDOWS\system32\whoami.exe
Description: whoami - displays logged on user information

Hashes

Type	Hash
MD5	`2EEEEC89E705F73FFBCAE014E1828788`
SHA1	`8F1F9E265911956C7F8F3861C34DEF9B8FA63813`
SHA256	`A8A4C4719113B071BB50D67F6E12C188B92C70EEAFDFCD6F5DA69B6AAA99A7FD`
SHA384	`FFB7F78AAFD2D6D5D62A14F74E19E02DA3021EAD5D74C9BD8625EBB8EC55BB95E60613F91E50F4BFA04F5FFF7EEFABF6`
SHA512	`DE89213C2DBD4C6DCBAF43F2114D8AC7FB9C020AB96253F27EDF5A31FBD7DD56F9137C8FE5F5975E1334DE8746A86E7C4E125096F707478790E409CC0F841525`
SSDEEP	`1536:EGBDfyBE2KRU/yEEurpIKbhPB0AixxL/80aLbs5x5dx5J:EGJyCtRUaKb1B0Aj0akx5dxX`

Runtime Data

Usage (stdout):

WhoAmI has three ways of working: 

Syntax 1:
    WHOAMI [/UPN | /FQDN | /LOGONID]

Syntax 2:
    WHOAMI { [/USER] [/GROUPS] [/CLAIMS] [/PRIV] } [/FO format] [/NH]

Syntax 3:
    WHOAMI /ALL [/FO format] [/NH]

Description:
    This utility can be used to get user name and group information
    along with the respective security identifiers (SID), claims,
    privileges, logon identifier (logon ID) for the current user
    on the local system. I.e. who is the current logged on user?
    If no switch is specified, tool displays the user name in NTLM
    format (domain\username).

Parameter List:
    /UPN                    Displays the user name in User Principal 
                            Name (UPN) format.

    /FQDN                   Displays the user name in Fully Qualified 
                            Distinguished Name (FQDN) format.

    /USER                   Displays information on the current user
                            along with the security identifier (SID).

    /GROUPS                 Displays group membership for current user,
                            type of account, security identifiers (SID)
                            and attributes.

    /CLAIMS                 Displays claims for current user,
                            including claim name, flags, type and values.

    /PRIV                   Displays security privileges of the current
                            user.

    /LOGONID                Displays the logon ID of the current user.

    /ALL                    Displays the current user name, groups 
                            belonged to along with the security 
                            identifiers (SID), claims and privileges for 
                            the current user access token.

    /FO       format        Specifies the output format to be displayed.
                            Valid values are TABLE, LIST, CSV.
                            Column headings are not displayed with CSV
                            format. Default format is TABLE.

    /NH                     Specifies that the column header should not
                            be displayed in the output. This is
                            valid only for TABLE and CSV formats.

    /?                      Displays this help message.

Examples:
    WHOAMI
    WHOAMI /UPN
    WHOAMI /FQDN 
    WHOAMI /LOGONID
    WHOAMI /USER
    WHOAMI /USER /FO LIST
    WHOAMI /USER /FO CSV
    WHOAMI /GROUPS
    WHOAMI /GROUPS /FO CSV /NH
    WHOAMI /CLAIMS
    WHOAMI /CLAIMS /FO LIST
    WHOAMI /PRIV
    WHOAMI /PRIV /FO TABLE
    WHOAMI /USER /GROUPS
    WHOAMI /USER /GROUPS /CLAIMS /PRIV
    WHOAMI /ALL
    WHOAMI /ALL /FO LIST
    WHOAMI /ALL /FO CSV /NH
    WHOAMI /?

Usage (stderr):

ERROR: Invalid argument/option - '-help'.
Type "WHOAMI /?" for usage.

Signature

Status: Signature verified.
Serial: 330000023241FB59996DCC4DFF000000000232
Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: whoami.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.18362.1 (WinBuild.160101.0800)
Product Version: 10.0.18362.1
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of whoami.exe being misused. While whoami.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	godmode_sigma_rule.yml	`- 'whoami'`	DRL 1.0
sigma	godmode_sigma_rule.yml	`# Running whoami as LOCAL_SYSTEM (usually after privilege escalation)`	DRL 1.0
sigma	godmode_sigma_rule.yml	`Image\\|contains: '\whoami.exe'`	DRL 1.0
sigma	proc_creation_lnx_webshell_detection.yml	`- '/whoami'`	DRL 1.0
sigma	web_webshell_keyword.yml	`- =whoami`	DRL 1.0
sigma	proc_creation_win_apt_greenbug_may20.yml	`- '-noninteractive -executionpolicy bypass whoami'`	DRL 1.0
sigma	proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml	`- 'whoami'`	DRL 1.0
sigma	proc_creation_win_cobaltstrike_process_patterns.yml	`CommandLine\\|contains: '\cmd.exe /C whoami'`	DRL 1.0
sigma	proc_creation_win_cobaltstrike_process_patterns.yml	`- '/C whoami'`	DRL 1.0
sigma	proc_creation_win_cobaltstrike_process_patterns.yml	`- '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_impacket_lateralization.yml	`# cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1`	DRL 1.0
sigma	proc_creation_win_local_system_owner_account_discovery.yml	`- Image\\|endswith: '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_malware_dridex.yml	`Image\\|endswith: '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_whoami.yml	`title: Renamed Whoami Execution`	DRL 1.0
sigma	proc_creation_win_renamed_whoami.yml	`description: Detects the execution of whoami that has been renamed to a different name to avoid detection`	DRL 1.0
sigma	proc_creation_win_renamed_whoami.yml	`OriginalFileName: 'whoami.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_whoami.yml	`Image\\|endswith: '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_susp_commands_recon_activity.yml	`- whoami`	DRL 1.0
sigma	proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml	`CommandLine\\|contains: 'whoami'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_by_java.yml	`- '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_by_java_keytool.yml	`- '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_from_winrm.yml	`- '*\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_susp_spoolsv_child_processes.yml	`- \whoami.exe`	DRL 1.0
sigma	proc_creation_win_susp_whoami.yml	`title: Whoami Execution`	DRL 1.0
sigma	proc_creation_win_susp_whoami.yml	`description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators`	DRL 1.0
sigma	proc_creation_win_susp_whoami.yml	`Image\\|endswith: '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_susp_whoami_anomaly.yml	`title: Whoami Execution Anomaly`	DRL 1.0
sigma	proc_creation_win_susp_whoami_anomaly.yml	`description: Detects the execution of whoami with suspicious parents or parameters`	DRL 1.0
sigma	proc_creation_win_susp_whoami_anomaly.yml	`Image\\|endswith: '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_susp_whoami_anomaly.yml	`- 'whoami -all'`	DRL 1.0
sigma	proc_creation_win_susp_whoami_anomaly.yml	`- 'whoami /all'`	DRL 1.0
sigma	proc_creation_win_susp_whoami_anomaly.yml	`- 'whoami.exe -all'`	DRL 1.0
sigma	proc_creation_win_susp_whoami_anomaly.yml	`- 'whoami.exe /all'`	DRL 1.0
sigma	proc_creation_win_susp_whoami_as_param.yml	`title: WhoAmI as Parameter`	DRL 1.0
sigma	proc_creation_win_susp_whoami_as_param.yml	`description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)`	DRL 1.0
sigma	proc_creation_win_susp_whoami_as_param.yml	`CommandLine\\|contains: '.exe whoami'`	DRL 1.0
sigma	proc_creation_win_webshell_detection.yml	`- '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_whoami_as_priv_user.yml	`title: Run Whoami as Privileged User`	DRL 1.0
sigma	proc_creation_win_whoami_as_priv_user.yml	`description: Detects a whoami.exe executed by privileged accounts that are often misused by threat actors`	DRL 1.0
sigma	proc_creation_win_whoami_as_priv_user.yml	`Image\\|endswith: '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_whoami_as_system.yml	`title: Run Whoami as SYSTEM`	DRL 1.0
sigma	proc_creation_win_whoami_as_system.yml	`description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.`	DRL 1.0
sigma	proc_creation_win_whoami_as_system.yml	`Image\\|endswith: '\whoami.exe'`	DRL 1.0
sigma	proc_creation_win_whoami_priv.yml	`title: Run Whoami Showing Privileges`	DRL 1.0
sigma	proc_creation_win_whoami_priv.yml	`description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.`	DRL 1.0
sigma	proc_creation_win_whoami_priv.yml	`- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami`	DRL 1.0
sigma	proc_creation_win_whoami_priv.yml	`Image\\|endswith: '\whoami.exe'`	DRL 1.0
atomic-red-team	T1033.md	Utilities and commands that acquire this information include `whoami`. In Mac and Linux, the currently logged in user can be identified with `w` and `who`.</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1033.md	cmd.exe /C whoami	MIT License. © 2018 Red Canary
atomic-red-team	T1053.006.md	systemd-run –user –unit=Atomic-Red-Team –on-calendar ‘*:0/1’ /bin/sh -c ‘echo “$(date) $(whoami)” »/tmp/log’	MIT License. © 2018 Red Canary
atomic-red-team	T1053.006.md	systemd-run –unit=Atomic-Red-Team –on-calendar ‘*:0/1’ /bin/sh -c ‘echo “$(date) $(whoami)” »/tmp/log’	MIT License. © 2018 Red Canary
atomic-red-team	T1056.001.md	whoami	MIT License. © 2018 Red Canary
atomic-red-team	T1056.001.md	whoami; ausearch -i –start $(date +”%d/%m/%y %H:%M:%S”)	MIT License. © 2018 Red Canary
atomic-red-team	T1070.003.md	whoami	MIT License. © 2018 Red Canary
atomic-red-team	T1110.001.md	sudo -k && echo “$P” \|sudo -S whoami &>/tmp/file; \	MIT License. © 2018 Red Canary
atomic-red-team	T1550.002.md	\| command \| command to execute \| String \| whoami\|	MIT License. © 2018 Red Canary
atomic-red-team	T1562.003.md	\| evil_command \| Command to run after shell history collection is disabled \| String \| whoami\|	MIT License. © 2018 Red Canary
atomic-red-team	T1562.003.md	4. whoami > recon.txt	MIT License. © 2018 Red Canary
signature-base	apt_lazarus_dec17.yar	$x8 = “whoami /groups \| findstr /c:"S-1-5-32-544"” fullword ascii	CC BY-NC 4.0
signature-base	apt_oilrig.yar	/* whoami & hostname */	CC BY-NC 4.0
signature-base	apt_oilrig.yar	$s1 = “whoami & hostname & ipconfig /all” ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s5 = “WHOAMI” ascii	CC BY-NC 4.0
signature-base	gen_lnx_malware_indicators.yar	$s5 = “whoami” ascii fullword	CC BY-NC 4.0
signature-base	gen_p0wnshell.yar	$x1 = “Pshell.RunPSCommand(Whoami);” fullword ascii	CC BY-NC 4.0
signature-base	gen_recon_indicators.yar	$s4 = “whoami” ascii	CC BY-NC 4.0
signature-base	gen_suspicious_strings.yar	$ = “whoami”	CC BY-NC 4.0
signature-base	gen_webshells.yar	$gen_bit_sus66 = “whoami” fullword wide ascii	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s1 = “if(!$whoami)$whoami=exec("whoami"); echo "whoami :".$whoami." ";” fullword	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s17 = “if(!$whoami)$whoami=exec("whoami");” fullword	CC BY-NC 4.0
stockpile	55678719-e76e-4df9-92aa-10655bbd1cf4.yml	`cmd.exe /c "whoami /priv" >> C:\Windows\temp\history.log;`	Apache-2.0
stockpile	bd527b63-9f9e-46e0-9816-b8434d2b8989.yml	`whoami`	Apache-2.0
stockpile	c0da588f-79f0-4263-8998-7496b1a40596.yml	`command: whoami`	Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

whoami

Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name.

Syntax

whoami [/upn | /fqdn | /logonid]
whoami {[/user] [/groups] [/priv]} [/fo <Format>] [/nh]
whoami /all [/fo <Format>] [/nh]

Parameters

Parameter	Description
/upn	Displays the user name in user principal name (UPN) format.
/fqdn	Displays the user name in fully qualified domain name (FQDN) format.
/logonid	Displays the logon ID of the current user.
/user	Displays the current domain and user name and the security identifier (SID).
/groups	Displays the user groups to which the current user belongs.
/priv	Displays the security privileges of the current user.
/fo <Format>	Specifies the output format. Valid values include:</br>table Displays output in a table. This is the default value.</br>list Displays output in a list.</br>csv Displays output in comma-separated value (CSV) format.
/all	Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to.
/nh	Specifies that the column header should not be displayed in the output. This is valid only for table and CSV formats.
/?	Displays help at the command prompt.

Examples

To display the domain and user name of the person who is currently logged on to this computer, type:

whoami

Output similar to the following appears:

DOMAIN1\administrator

To display all of the information in the current access token, type:

whoami /all

Additional References

Command-Line Syntax Key