whoami.exe

  • File Path: C:\windows\SysWOW64\whoami.exe
  • Description: whoami - displays logged on user information

Hashes

Type Hash
MD5 E574D1702A90525E1FD1A4E4E34BB967
SHA1 3D03BDF542FA542F6184F3532ECCF5AA4AB1DCAB
SHA256 4E62C0E369B1EB045548D9C9BB2BA27137E6456D12F5C97F61BCD5890239FE1D
SHA384 6494E1CB166E69D95909F838F88FA12475464ED8E38E5D6C1407F505D5954737CD6D3B132EBDEFB026467CD49226CB61
SHA512 07AFA7EDFCCEB342D15D00A969807ABA55E8B3B44A102454420FB99C0B2469F28A634C559D669B5F06D3A1C39935400B2DAE158246EEDAA6BD5D56CB5A13E2C0
SSDEEP 1536:0YC/iQSH3F/eiGlMk0z979ziqOikSArZxEIsD5x2RaeL:0ktH1lcp2J9edhhqIsD5x27

Signature

  • Status: The file C:\windows\SysWOW64\whoami.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: whoami.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of whoami.exe being misused. While whoami.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - 'whoami' DRL 1.0
sigma godmode_sigma_rule.yml # Running whoami as LOCAL_SYSTEM (usually after privilege escalation) DRL 1.0
sigma godmode_sigma_rule.yml Image\|contains: '\whoami.exe' DRL 1.0
sigma proc_creation_lnx_webshell_detection.yml - '/whoami' DRL 1.0
sigma web_webshell_keyword.yml - =whoami DRL 1.0
sigma proc_creation_win_apt_greenbug_may20.yml - '-noninteractive -executionpolicy bypass whoami' DRL 1.0
sigma proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml - 'whoami' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml CommandLine\|contains: '\cmd.exe /C whoami' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml - '/C whoami' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_renamed_whoami.yml title: Renamed Whoami Execution DRL 1.0
sigma proc_creation_win_renamed_whoami.yml description: Detects the execution of whoami that has been renamed to a different name to avoid detection DRL 1.0
sigma proc_creation_win_renamed_whoami.yml OriginalFileName: 'whoami.exe' DRL 1.0
sigma proc_creation_win_renamed_whoami.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_commands_recon_activity.yml - whoami DRL 1.0
sigma proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml CommandLine\|contains: 'whoami' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_winrm.yml - '*\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \whoami.exe DRL 1.0
sigma proc_creation_win_susp_whoami.yml title: Whoami Execution DRL 1.0
sigma proc_creation_win_susp_whoami.yml description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators DRL 1.0
sigma proc_creation_win_susp_whoami.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml title: Whoami Execution Anomaly DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml description: Detects the execution of whoami with suspicious parents or parameters DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami -all' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami /all' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami.exe -all' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - 'whoami.exe /all' DRL 1.0
sigma proc_creation_win_susp_whoami_as_param.yml title: WhoAmI as Parameter DRL 1.0
sigma proc_creation_win_susp_whoami_as_param.yml description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) DRL 1.0
sigma proc_creation_win_susp_whoami_as_param.yml CommandLine\|contains: '.exe whoami' DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\whoami.exe' DRL 1.0
sigma proc_creation_win_whoami_as_priv_user.yml title: Run Whoami as Privileged User DRL 1.0
sigma proc_creation_win_whoami_as_priv_user.yml description: Detects a whoami.exe executed by privileged accounts that are often misused by threat actors DRL 1.0
sigma proc_creation_win_whoami_as_priv_user.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_whoami_as_system.yml title: Run Whoami as SYSTEM DRL 1.0
sigma proc_creation_win_whoami_as_system.yml description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. DRL 1.0
sigma proc_creation_win_whoami_as_system.yml Image\|endswith: '\whoami.exe' DRL 1.0
sigma proc_creation_win_whoami_priv.yml title: Run Whoami Showing Privileges DRL 1.0
sigma proc_creation_win_whoami_priv.yml description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. DRL 1.0
sigma proc_creation_win_whoami_priv.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami DRL 1.0
sigma proc_creation_win_whoami_priv.yml Image\|endswith: '\whoami.exe' DRL 1.0
atomic-red-team T1033.md Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1033.md cmd.exe /C whoami MIT License. © 2018 Red Canary
atomic-red-team T1053.006.md systemd-run –user –unit=Atomic-Red-Team –on-calendar ‘*:0/1’ /bin/sh -c ‘echo “$(date) $(whoami)” »/tmp/log’ MIT License. © 2018 Red Canary
atomic-red-team T1053.006.md systemd-run –unit=Atomic-Red-Team –on-calendar ‘*:0/1’ /bin/sh -c ‘echo “$(date) $(whoami)” »/tmp/log’ MIT License. © 2018 Red Canary
atomic-red-team T1056.001.md whoami MIT License. © 2018 Red Canary
atomic-red-team T1056.001.md whoami; ausearch -i –start $(date +”%d/%m/%y %H:%M:%S”) MIT License. © 2018 Red Canary
atomic-red-team T1070.003.md whoami MIT License. © 2018 Red Canary
atomic-red-team T1110.001.md sudo -k && echo “$P” |sudo -S whoami &>/tmp/file; \ MIT License. © 2018 Red Canary
atomic-red-team T1550.002.md | command | command to execute | String | whoami| MIT License. © 2018 Red Canary
atomic-red-team T1562.003.md | evil_command | Command to run after shell history collection is disabled | String | whoami| MIT License. © 2018 Red Canary
atomic-red-team T1562.003.md 4. whoami > recon.txt MIT License. © 2018 Red Canary
signature-base apt_lazarus_dec17.yar $x8 = “whoami /groups | findstr /c:"S-1-5-32-544"” fullword ascii CC BY-NC 4.0
signature-base apt_oilrig.yar /* whoami & hostname */ CC BY-NC 4.0
signature-base apt_oilrig.yar $s1 = “whoami & hostname & ipconfig /all” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s5 = “WHOAMI” ascii CC BY-NC 4.0
signature-base gen_lnx_malware_indicators.yar $s5 = “whoami” ascii fullword CC BY-NC 4.0
signature-base gen_p0wnshell.yar $x1 = “Pshell.RunPSCommand(Whoami);” fullword ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s4 = “whoami” ascii CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $ = “whoami” CC BY-NC 4.0
signature-base gen_webshells.yar $gen_bit_sus66 = “whoami” fullword wide ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s1 = “if(!$whoami)$whoami=exec("whoami"); echo "whoami :".$whoami."
";” fullword
CC BY-NC 4.0
signature-base thor-webshells.yar $s17 = “if(!$whoami)$whoami=exec("whoami");” fullword CC BY-NC 4.0
stockpile 55678719-e76e-4df9-92aa-10655bbd1cf4.yml cmd.exe /c "whoami /priv" >> C:\Windows\temp\history.log; Apache-2.0
stockpile bd527b63-9f9e-46e0-9816-b8434d2b8989.yml whoami Apache-2.0
stockpile c0da588f-79f0-4263-8998-7496b1a40596.yml command: whoami Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


whoami

Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name.

Syntax

whoami [/upn | /fqdn | /logonid]
whoami {[/user] [/groups] [/priv]} [/fo <Format>] [/nh]
whoami /all [/fo <Format>] [/nh]

Parameters

Parameter Description
/upn Displays the user name in user principal name (UPN) format.
/fqdn Displays the user name in fully qualified domain name (FQDN) format.
/logonid Displays the logon ID of the current user.
/user Displays the current domain and user name and the security identifier (SID).
/groups Displays the user groups to which the current user belongs.
/priv Displays the security privileges of the current user.
/fo <Format> Specifies the output format. Valid values include:</br>table Displays output in a table. This is the default value.</br>list Displays output in a list.</br>csv Displays output in comma-separated value (CSV) format.
/all Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to.
/nh Specifies that the column header should not be displayed in the output. This is valid only for table and CSV formats.
/? Displays help at the command prompt.

Examples

To display the domain and user name of the person who is currently logged on to this computer, type:

whoami

Output similar to the following appears:

DOMAIN1\administrator

To display all of the information in the current access token, type:

whoami /all

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.