whoami.exe

  • File Path: C:\WINDOWS\system32\whoami.exe
  • Description: whoami - displays logged on user information

Hashes

Type Hash
MD5 2EEEEC89E705F73FFBCAE014E1828788
SHA1 8F1F9E265911956C7F8F3861C34DEF9B8FA63813
SHA256 A8A4C4719113B071BB50D67F6E12C188B92C70EEAFDFCD6F5DA69B6AAA99A7FD
SHA384 FFB7F78AAFD2D6D5D62A14F74E19E02DA3021EAD5D74C9BD8625EBB8EC55BB95E60613F91E50F4BFA04F5FFF7EEFABF6
SHA512 DE89213C2DBD4C6DCBAF43F2114D8AC7FB9C020AB96253F27EDF5A31FBD7DD56F9137C8FE5F5975E1334DE8746A86E7C4E125096F707478790E409CC0F841525
SSDEEP 1536:EGBDfyBE2KRU/yEEurpIKbhPB0AixxL/80aLbs5x5dx5J:EGJyCtRUaKb1B0Aj0akx5dxX

Runtime Data

Usage (stdout):


WhoAmI has three ways of working: 

Syntax 1:
    WHOAMI [/UPN | /FQDN | /LOGONID]

Syntax 2:
    WHOAMI { [/USER] [/GROUPS] [/CLAIMS] [/PRIV] } [/FO format] [/NH]

Syntax 3:
    WHOAMI /ALL [/FO format] [/NH]

Description:
    This utility can be used to get user name and group information
    along with the respective security identifiers (SID), claims,
    privileges, logon identifier (logon ID) for the current user
    on the local system. I.e. who is the current logged on user?
    If no switch is specified, tool displays the user name in NTLM
    format (domain\username).

Parameter List:
    /UPN                    Displays the user name in User Principal 
                            Name (UPN) format.

    /FQDN                   Displays the user name in Fully Qualified 
                            Distinguished Name (FQDN) format.

    /USER                   Displays information on the current user
                            along with the security identifier (SID).

    /GROUPS                 Displays group membership for current user,
                            type of account, security identifiers (SID)
                            and attributes.

    /CLAIMS                 Displays claims for current user,
                            including claim name, flags, type and values.

    /PRIV                   Displays security privileges of the current
                            user.

    /LOGONID                Displays the logon ID of the current user.

    /ALL                    Displays the current user name, groups 
                            belonged to along with the security 
                            identifiers (SID), claims and privileges for 
                            the current user access token.

    /FO       format        Specifies the output format to be displayed.
                            Valid values are TABLE, LIST, CSV.
                            Column headings are not displayed with CSV
                            format. Default format is TABLE.

    /NH                     Specifies that the column header should not
                            be displayed in the output. This is
                            valid only for TABLE and CSV formats.

    /?                      Displays this help message.

Examples:
    WHOAMI
    WHOAMI /UPN
    WHOAMI /FQDN 
    WHOAMI /LOGONID
    WHOAMI /USER
    WHOAMI /USER /FO LIST
    WHOAMI /USER /FO CSV
    WHOAMI /GROUPS
    WHOAMI /GROUPS /FO CSV /NH
    WHOAMI /CLAIMS
    WHOAMI /CLAIMS /FO LIST
    WHOAMI /PRIV
    WHOAMI /PRIV /FO TABLE
    WHOAMI /USER /GROUPS
    WHOAMI /USER /GROUPS /CLAIMS /PRIV
    WHOAMI /ALL
    WHOAMI /ALL /FO LIST
    WHOAMI /ALL /FO CSV /NH
    WHOAMI /?

Usage (stderr):

ERROR: Invalid argument/option - '-help'.
Type "WHOAMI /?" for usage.

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: whoami.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of whoami.exe being misused. While whoami.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - 'whoami' DRL 1.0
sigma godmode_sigma_rule.yml # Running whoami as LOCAL_SYSTEM (usually after privilege escalation) DRL 1.0
sigma godmode_sigma_rule.yml Image\|contains: '\whoami.exe' DRL 1.0
sigma proc_creation_lnx_webshell_detection.yml - '/whoami' DRL 1.0
sigma web_webshell_keyword.yml - =whoami DRL 1.0
sigma proc_creation_win_apt_greenbug_may20.yml - '-noninteractive -executionpolicy bypass whoami' DRL 1.0
sigma proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml - 'whoami' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml CommandLine\|contains: '\cmd.exe /C whoami' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml - '/C whoami' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_renamed_whoami.yml title: Renamed Whoami Execution DRL 1.0
sigma proc_creation_win_renamed_whoami.yml description: Detects the execution of whoami that has been renamed to a different name to avoid detection DRL 1.0
sigma proc_creation_win_renamed_whoami.yml OriginalFileName: 'whoami.exe' DRL 1.0
sigma proc_creation_win_renamed_whoami.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_commands_recon_activity.yml - whoami DRL 1.0
sigma proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml CommandLine\|contains: 'whoami' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_winrm.yml - '*\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \whoami.exe DRL 1.0
sigma proc_creation_win_susp_whoami.yml title: Whoami Execution DRL 1.0
sigma proc_creation_win_susp_whoami.yml description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators DRL 1.0
sigma proc_creation_win_susp_whoami.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml title: Whoami Execution Anomaly DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml description: Detects the execution of whoami with suspicious parents or parameters DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami -all' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami /all' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami.exe -all' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami.exe /all' DRL 1.0
sigma proc_creation_win_susp_whoami_as_param.yml title: WhoAmI as Parameter DRL 1.0
sigma proc_creation_win_susp_whoami_as_param.yml description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) DRL 1.0
sigma proc_creation_win_susp_whoami_as_param.yml CommandLine\|contains: '.exe whoami' DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_whoami_as_priv_user.yml title: Run Whoami as Privileged User DRL 1.0
sigma proc_creation_win_whoami_as_priv_user.yml description: Detects a whoami.exe executed by privileged accounts that are often misused by threat actors DRL 1.0
sigma proc_creation_win_whoami_as_priv_user.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_whoami_as_system.yml title: Run Whoami as SYSTEM DRL 1.0
sigma proc_creation_win_whoami_as_system.yml description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. DRL 1.0
sigma proc_creation_win_whoami_as_system.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_whoami_priv.yml title: Run Whoami Showing Privileges DRL 1.0
sigma proc_creation_win_whoami_priv.yml description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. DRL 1.0
sigma proc_creation_win_whoami_priv.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami DRL 1.0
sigma proc_creation_win_whoami_priv.yml Image\|endswith: '\whoami.exe' DRL 1.0
atomic-red-team T1033.md Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1033.md cmd.exe /C whoami MIT License. © 2018 Red Canary
atomic-red-team T1053.006.md systemd-run –user –unit=Atomic-Red-Team –on-calendar ‘*:0/1’ /bin/sh -c ‘echo “$(date) $(whoami)” »/tmp/log’ MIT License. © 2018 Red Canary
atomic-red-team T1053.006.md systemd-run –unit=Atomic-Red-Team –on-calendar ‘*:0/1’ /bin/sh -c ‘echo “$(date) $(whoami)” »/tmp/log’ MIT License. © 2018 Red Canary
atomic-red-team T1056.001.md whoami MIT License. © 2018 Red Canary
atomic-red-team T1056.001.md whoami; ausearch -i –start $(date +”%d/%m/%y %H:%M:%S”) MIT License. © 2018 Red Canary
atomic-red-team T1070.003.md whoami MIT License. © 2018 Red Canary
atomic-red-team T1110.001.md sudo -k && echo “$P” |sudo -S whoami &>/tmp/file; \ MIT License. © 2018 Red Canary
atomic-red-team T1550.002.md | command | command to execute | String | whoami| MIT License. © 2018 Red Canary
atomic-red-team T1562.003.md | evil_command | Command to run after shell history collection is disabled | String | whoami| MIT License. © 2018 Red Canary
atomic-red-team T1562.003.md 4. whoami > recon.txt MIT License. © 2018 Red Canary
signature-base apt_lazarus_dec17.yar $x8 = “whoami /groups | findstr /c:"S-1-5-32-544"” fullword ascii CC BY-NC 4.0
signature-base apt_oilrig.yar /* whoami & hostname */ CC BY-NC 4.0
signature-base apt_oilrig.yar $s1 = “whoami & hostname & ipconfig /all” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s5 = “WHOAMI” ascii CC BY-NC 4.0
signature-base gen_lnx_malware_indicators.yar $s5 = “whoami” ascii fullword CC BY-NC 4.0
signature-base gen_p0wnshell.yar $x1 = “Pshell.RunPSCommand(Whoami);” fullword ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s4 = “whoami” ascii CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $ = “whoami” CC BY-NC 4.0
signature-base gen_webshells.yar $gen_bit_sus66 = “whoami” fullword wide ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s1 = “if(!$whoami)$whoami=exec("whoami"); echo "whoami :".$whoami."
";” fullword
CC BY-NC 4.0
signature-base thor-webshells.yar $s17 = “if(!$whoami)$whoami=exec("whoami");” fullword CC BY-NC 4.0
stockpile 55678719-e76e-4df9-92aa-10655bbd1cf4.yml cmd.exe /c "whoami /priv" >> C:\Windows\temp\history.log; Apache-2.0
stockpile bd527b63-9f9e-46e0-9816-b8434d2b8989.yml whoami Apache-2.0
stockpile c0da588f-79f0-4263-8998-7496b1a40596.yml command: whoami Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


whoami

Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name.

Syntax

whoami [/upn | /fqdn | /logonid]
whoami {[/user] [/groups] [/priv]} [/fo <Format>] [/nh]
whoami /all [/fo <Format>] [/nh]

Parameters

Parameter Description
/upn Displays the user name in user principal name (UPN) format.
/fqdn Displays the user name in fully qualified domain name (FQDN) format.
/logonid Displays the logon ID of the current user.
/user Displays the current domain and user name and the security identifier (SID).
/groups Displays the user groups to which the current user belongs.
/priv Displays the security privileges of the current user.
/fo <Format> Specifies the output format. Valid values include:</br>table Displays output in a table. This is the default value.</br>list Displays output in a list.</br>csv Displays output in comma-separated value (CSV) format.
/all Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to.
/nh Specifies that the column header should not be displayed in the output. This is valid only for table and CSV formats.
/? Displays help at the command prompt.

Examples

To display the domain and user name of the person who is currently logged on to this computer, type:

whoami

Output similar to the following appears:

DOMAIN1\administrator

To display all of the information in the current access token, type:

whoami /all

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.