whoami.exe

  • File Path: C:\Windows\system32\whoami.exe
  • Description: whoami - displays logged on user information

Hashes

Type Hash
MD5 A4A6924F3EAF97981323703D38FD99C4
SHA1 1915FBFDB73FDD200C47880247ACDDE5442431A9
SHA256 1D4902A04D99E8CCBFE7085E63155955FEE397449D386453F6C452AE407B8743
SHA384 3B13C11D92F1081BBABC199F32BBAA506B0C6917C4FBA93841DC32CDCFB8B48DEA2142CD6F5D7964EEEF2FAB25A5C4B9
SHA512 90A556B98C1FDDBC862E851C560BF57B2166572C1425AD624C7ADE54073012F0CF84FD1E6047015FF2CEEA96806AC8AF2BBA59B1F86F80ADF9C46A95CFD22262
SSDEEP 1536:DOG7Cm6WrNJNiQZcQsfpkb+xssmUN7h8QdWNjhuL/2IR21oxMnI:qG7X6eJo2Tb+xssmurkpIU1oxZ
IMP 7FF0758B766F747CE57DFAC70743FB88
PESHA1 1849ACA53AB1A55D87601CFCFF12BBD1BD464F78
PE256 82B7D0D03587EDDDC1D42B365648062793C5DBAEA751184D3C2BAC94219B30E4

Runtime Data

Usage (stdout):


WhoAmI has three ways of working: 

Syntax 1:
    WHOAMI [/UPN | /FQDN | /LOGONID]

Syntax 2:
    WHOAMI { [/USER] [/GROUPS] [/CLAIMS] [/PRIV] } [/FO format] [/NH]

Syntax 3:
    WHOAMI /ALL [/FO format] [/NH]

Description:
    This utility can be used to get user name and group information
    along with the respective security identifiers (SID), claims,
    privileges, logon identifier (logon ID) for the current user
    on the local system. I.e. who is the current logged on user?
    If no switch is specified, tool displays the user name in NTLM
    format (domain\username).

Parameter List:
    /UPN                    Displays the user name in User Principal 
                            Name (UPN) format.

    /FQDN                   Displays the user name in Fully Qualified 
                            Distinguished Name (FQDN) format.

    /USER                   Displays information on the current user
                            along with the security identifier (SID).

    /GROUPS                 Displays group membership for current user,
                            type of account, security identifiers (SID)
                            and attributes.

    /CLAIMS                 Displays claims for current user,
                            including claim name, flags, type and values.

    /PRIV                   Displays security privileges of the current
                            user.

    /LOGONID                Displays the logon ID of the current user.

    /ALL                    Displays the current user name, groups 
                            belonged to along with the security 
                            identifiers (SID), claims and privileges for 
                            the current user access token.

    /FO       format        Specifies the output format to be displayed.
                            Valid values are TABLE, LIST, CSV.
                            Column headings are not displayed with CSV
                            format. Default format is TABLE.

    /NH                     Specifies that the column header should not
                            be displayed in the output. This is
                            valid only for TABLE and CSV formats.

    /?                      Displays this help message.

Examples:
    WHOAMI
    WHOAMI /UPN
    WHOAMI /FQDN 
    WHOAMI /LOGONID
    WHOAMI /USER
    WHOAMI /USER /FO LIST
    WHOAMI /USER /FO CSV
    WHOAMI /GROUPS
    WHOAMI /GROUPS /FO CSV /NH
    WHOAMI /CLAIMS
    WHOAMI /CLAIMS /FO LIST
    WHOAMI /PRIV
    WHOAMI /PRIV /FO TABLE
    WHOAMI /USER /GROUPS
    WHOAMI /USER /GROUPS /CLAIMS /PRIV
    WHOAMI /ALL
    WHOAMI /ALL /FO LIST
    WHOAMI /ALL /FO CSV /NH
    WHOAMI /?

Usage (stderr):

ERROR: Invalid argument/option - '--help'.
Type "WHOAMI /?" for usage.

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\whoami.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: whoami.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/1d4902a04d99e8ccbfe7085e63155955fee397449d386453f6c452ae407b8743/detection

Possible Misuse

The following table contains possible examples of whoami.exe being misused. While whoami.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - 'whoami' DRL 1.0
sigma godmode_sigma_rule.yml # Running whoami as LOCAL_SYSTEM (usually after privilege escalation) DRL 1.0
sigma godmode_sigma_rule.yml Image\|contains: '\whoami.exe' DRL 1.0
sigma proc_creation_lnx_webshell_detection.yml - '/whoami' DRL 1.0
sigma web_webshell_keyword.yml - =whoami DRL 1.0
sigma proc_creation_win_apt_greenbug_may20.yml - '-noninteractive -executionpolicy bypass whoami' DRL 1.0
sigma proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml - 'whoami' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml CommandLine\|contains: '\cmd.exe /C whoami' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml - '/C whoami' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_renamed_whoami.yml title: Renamed Whoami Execution DRL 1.0
sigma proc_creation_win_renamed_whoami.yml description: Detects the execution of whoami that has been renamed to a different name to avoid detection DRL 1.0
sigma proc_creation_win_renamed_whoami.yml OriginalFileName: 'whoami.exe' DRL 1.0
sigma proc_creation_win_renamed_whoami.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_commands_recon_activity.yml - whoami DRL 1.0
sigma proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml CommandLine\|contains: 'whoami' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_winrm.yml - '*\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \whoami.exe DRL 1.0
sigma proc_creation_win_susp_whoami.yml title: Whoami Execution DRL 1.0
sigma proc_creation_win_susp_whoami.yml description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators DRL 1.0
sigma proc_creation_win_susp_whoami.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml title: Whoami Execution Anomaly DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml description: Detects the execution of whoami with suspicious parents or parameters DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami -all' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami /all' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami.exe -all' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami.exe /all' DRL 1.0
sigma proc_creation_win_susp_whoami_as_param.yml title: WhoAmI as Parameter DRL 1.0
sigma proc_creation_win_susp_whoami_as_param.yml description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) DRL 1.0
sigma proc_creation_win_susp_whoami_as_param.yml CommandLine\|contains: '.exe whoami' DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_whoami_as_priv_user.yml title: Run Whoami as Privileged User DRL 1.0
sigma proc_creation_win_whoami_as_priv_user.yml description: Detects a whoami.exe executed by privileged accounts that are often misused by threat actors DRL 1.0
sigma proc_creation_win_whoami_as_priv_user.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_whoami_as_system.yml title: Run Whoami as SYSTEM DRL 1.0
sigma proc_creation_win_whoami_as_system.yml description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. DRL 1.0
sigma proc_creation_win_whoami_as_system.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_whoami_priv.yml title: Run Whoami Showing Privileges DRL 1.0
sigma proc_creation_win_whoami_priv.yml description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. DRL 1.0
sigma proc_creation_win_whoami_priv.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami DRL 1.0
sigma proc_creation_win_whoami_priv.yml Image\|endswith: '\whoami.exe' DRL 1.0
atomic-red-team T1033.md Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1033.md cmd.exe /C whoami MIT License. © 2018 Red Canary
atomic-red-team T1053.006.md systemd-run –user –unit=Atomic-Red-Team –on-calendar ‘*:0/1’ /bin/sh -c ‘echo “$(date) $(whoami)” »/tmp/log’ MIT License. © 2018 Red Canary
atomic-red-team T1053.006.md systemd-run –unit=Atomic-Red-Team –on-calendar ‘*:0/1’ /bin/sh -c ‘echo “$(date) $(whoami)” »/tmp/log’ MIT License. © 2018 Red Canary
atomic-red-team T1056.001.md whoami MIT License. © 2018 Red Canary
atomic-red-team T1056.001.md whoami; ausearch -i –start $(date +”%d/%m/%y %H:%M:%S”) MIT License. © 2018 Red Canary
atomic-red-team T1070.003.md whoami MIT License. © 2018 Red Canary
atomic-red-team T1110.001.md sudo -k && echo “$P” |sudo -S whoami &>/tmp/file; \ MIT License. © 2018 Red Canary
atomic-red-team T1550.002.md | command | command to execute | String | whoami| MIT License. © 2018 Red Canary
atomic-red-team T1562.003.md | evil_command | Command to run after shell history collection is disabled | String | whoami| MIT License. © 2018 Red Canary
atomic-red-team T1562.003.md 4. whoami > recon.txt MIT License. © 2018 Red Canary
signature-base apt_lazarus_dec17.yar $x8 = “whoami /groups | findstr /c:"S-1-5-32-544"” fullword ascii CC BY-NC 4.0
signature-base apt_oilrig.yar /* whoami & hostname */ CC BY-NC 4.0
signature-base apt_oilrig.yar $s1 = “whoami & hostname & ipconfig /all” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s5 = “WHOAMI” ascii CC BY-NC 4.0
signature-base gen_lnx_malware_indicators.yar $s5 = “whoami” ascii fullword CC BY-NC 4.0
signature-base gen_p0wnshell.yar $x1 = “Pshell.RunPSCommand(Whoami);” fullword ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s4 = “whoami” ascii CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $ = “whoami” CC BY-NC 4.0
signature-base gen_webshells.yar $gen_bit_sus66 = “whoami” fullword wide ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s1 = “if(!$whoami)$whoami=exec("whoami"); echo "whoami :".$whoami."
";” fullword
CC BY-NC 4.0
signature-base thor-webshells.yar $s17 = “if(!$whoami)$whoami=exec("whoami");” fullword CC BY-NC 4.0
stockpile 55678719-e76e-4df9-92aa-10655bbd1cf4.yml cmd.exe /c "whoami /priv" >> C:\Windows\temp\history.log; Apache-2.0
stockpile bd527b63-9f9e-46e0-9816-b8434d2b8989.yml whoami Apache-2.0
stockpile c0da588f-79f0-4263-8998-7496b1a40596.yml command: whoami Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


whoami

Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name.

Syntax

whoami [/upn | /fqdn | /logonid]
whoami {[/user] [/groups] [/priv]} [/fo <Format>] [/nh]
whoami /all [/fo <Format>] [/nh]

Parameters

Parameter Description
/upn Displays the user name in user principal name (UPN) format.
/fqdn Displays the user name in fully qualified domain name (FQDN) format.
/logonid Displays the logon ID of the current user.
/user Displays the current domain and user name and the security identifier (SID).
/groups Displays the user groups to which the current user belongs.
/priv Displays the security privileges of the current user.
/fo <Format> Specifies the output format. Valid values include:</br>table Displays output in a table. This is the default value.</br>list Displays output in a list.</br>csv Displays output in comma-separated value (CSV) format.
/all Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to.
/nh Specifies that the column header should not be displayed in the output. This is valid only for table and CSV formats.
/? Displays help at the command prompt.

Examples

To display the domain and user name of the person who is currently logged on to this computer, type:

whoami

Output similar to the following appears:

DOMAIN1\administrator

To display all of the information in the current access token, type:

whoami /all

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.