| sigma |
godmode_sigma_rule.yml |
- 'whoami' |
DRL 1.0 |
| sigma |
godmode_sigma_rule.yml |
# Running whoami as LOCAL_SYSTEM (usually after privilege escalation) |
DRL 1.0 |
| sigma |
godmode_sigma_rule.yml |
Image\|contains: '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_lnx_webshell_detection.yml |
- '/whoami' |
DRL 1.0 |
| sigma |
web_webshell_keyword.yml |
- =whoami |
DRL 1.0 |
| sigma |
proc_creation_win_apt_greenbug_may20.yml |
- '-noninteractive -executionpolicy bypass whoami' |
DRL 1.0 |
| sigma |
proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml |
- 'whoami' |
DRL 1.0 |
| sigma |
proc_creation_win_cobaltstrike_process_patterns.yml |
CommandLine\|contains: '\cmd.exe /C whoami' |
DRL 1.0 |
| sigma |
proc_creation_win_cobaltstrike_process_patterns.yml |
- '/C whoami' |
DRL 1.0 |
| sigma |
proc_creation_win_cobaltstrike_process_patterns.yml |
- '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_impacket_lateralization.yml |
# cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 |
DRL 1.0 |
| sigma |
proc_creation_win_local_system_owner_account_discovery.yml |
- Image\|endswith: '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_malware_dridex.yml |
Image\|endswith: '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_renamed_whoami.yml |
title: Renamed Whoami Execution |
DRL 1.0 |
| sigma |
proc_creation_win_renamed_whoami.yml |
description: Detects the execution of whoami that has been renamed to a different name to avoid detection |
DRL 1.0 |
| sigma |
proc_creation_win_renamed_whoami.yml |
OriginalFileName: 'whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_renamed_whoami.yml |
Image\|endswith: '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_commands_recon_activity.yml |
- whoami |
DRL 1.0 |
| sigma |
proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml |
CommandLine\|contains: 'whoami' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_shell_spawn_by_java.yml |
- '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_shell_spawn_by_java_keytool.yml |
- '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_shell_spawn_from_winrm.yml |
- '*\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_spoolsv_child_processes.yml |
- \whoami.exe |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami.yml |
title: Whoami Execution |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami.yml |
description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami.yml |
Image\|endswith: '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami_anomaly.yml |
title: Whoami Execution Anomaly |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami_anomaly.yml |
description: Detects the execution of whoami with suspicious parents or parameters |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami_anomaly.yml |
Image\|endswith: '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami_anomaly.yml |
- 'whoami -all' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami_anomaly.yml |
- 'whoami /all' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami_anomaly.yml |
- 'whoami.exe -all' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami_anomaly.yml |
- 'whoami.exe /all' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami_as_param.yml |
title: WhoAmI as Parameter |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami_as_param.yml |
description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) |
DRL 1.0 |
| sigma |
proc_creation_win_susp_whoami_as_param.yml |
CommandLine\|contains: '.exe whoami' |
DRL 1.0 |
| sigma |
proc_creation_win_webshell_detection.yml |
- '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_whoami_as_priv_user.yml |
title: Run Whoami as Privileged User |
DRL 1.0 |
| sigma |
proc_creation_win_whoami_as_priv_user.yml |
description: Detects a whoami.exe executed by privileged accounts that are often misused by threat actors |
DRL 1.0 |
| sigma |
proc_creation_win_whoami_as_priv_user.yml |
Image\|endswith: '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_whoami_as_system.yml |
title: Run Whoami as SYSTEM |
DRL 1.0 |
| sigma |
proc_creation_win_whoami_as_system.yml |
description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. |
DRL 1.0 |
| sigma |
proc_creation_win_whoami_as_system.yml |
Image\|endswith: '\whoami.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_whoami_priv.yml |
title: Run Whoami Showing Privileges |
DRL 1.0 |
| sigma |
proc_creation_win_whoami_priv.yml |
description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. |
DRL 1.0 |
| sigma |
proc_creation_win_whoami_priv.yml |
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami |
DRL 1.0 |
| sigma |
proc_creation_win_whoami_priv.yml |
Image\|endswith: '\whoami.exe' |
DRL 1.0 |
| atomic-red-team |
T1033.md |
Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1033.md |
cmd.exe /C whoami |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1053.006.md |
systemd-run –user –unit=Atomic-Red-Team –on-calendar ‘*:0/1’ /bin/sh -c ‘echo “$(date) $(whoami)” »/tmp/log’ |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1053.006.md |
systemd-run –unit=Atomic-Red-Team –on-calendar ‘*:0/1’ /bin/sh -c ‘echo “$(date) $(whoami)” »/tmp/log’ |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1056.001.md |
whoami |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1056.001.md |
whoami; ausearch -i –start $(date +”%d/%m/%y %H:%M:%S”) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1070.003.md |
whoami |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1110.001.md |
sudo -k && echo “$P” |sudo -S whoami &>/tmp/file; \ |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1550.002.md |
| command | command to execute | String | whoami| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.003.md |
| evil_command | Command to run after shell history collection is disabled | String | whoami| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.003.md |
4. whoami > recon.txt |
MIT License. © 2018 Red Canary |
| signature-base |
apt_lazarus_dec17.yar |
$x8 = “whoami /groups | findstr /c:"S-1-5-32-544"” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_oilrig.yar |
/* whoami & hostname */ |
CC BY-NC 4.0 |
| signature-base |
apt_oilrig.yar |
$s1 = “whoami & hostname & ipconfig /all” ascii |
CC BY-NC 4.0 |
| signature-base |
gen_cn_hacktools.yar |
$s5 = “WHOAMI” ascii |
CC BY-NC 4.0 |
| signature-base |
gen_lnx_malware_indicators.yar |
$s5 = “whoami” ascii fullword |
CC BY-NC 4.0 |
| signature-base |
gen_p0wnshell.yar |
$x1 = “Pshell.RunPSCommand(Whoami);” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
gen_recon_indicators.yar |
$s4 = “whoami” ascii |
CC BY-NC 4.0 |
| signature-base |
gen_suspicious_strings.yar |
$ = “whoami” |
CC BY-NC 4.0 |
| signature-base |
gen_webshells.yar |
$gen_bit_sus66 = “whoami” fullword wide ascii |
CC BY-NC 4.0 |
| signature-base |
thor-webshells.yar |
$s1 = “if(!$whoami)$whoami=exec("whoami"); echo "whoami :".$whoami."
";” fullword |
CC BY-NC 4.0 |
| signature-base |
thor-webshells.yar |
$s17 = “if(!$whoami)$whoami=exec("whoami");” fullword |
CC BY-NC 4.0 |
| stockpile |
55678719-e76e-4df9-92aa-10655bbd1cf4.yml |
cmd.exe /c "whoami /priv" >> C:\Windows\temp\history.log; |
Apache-2.0 |
| stockpile |
bd527b63-9f9e-46e0-9816-b8434d2b8989.yml |
whoami |
Apache-2.0 |
| stockpile |
c0da588f-79f0-4263-8998-7496b1a40596.yml |
command: whoami |
Apache-2.0 |