Group Membership Reconnaissance Via Whoami.EXE

Rule Info

Name

Group Membership Reconnaissance Via Whoami.EXE

Author

Nasreddine Bencherchali (Nextron Systems)

Description

Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.

Reference

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami

Date

2023-02-28 00:00:00

Modified

None

bd8b828d-0dca-48e1-8a63-8a58ecf2644f

Rule History

Author

Title

Date

Commit

Nasreddine Bencherchali

Merge PR #4950 from @nasbench - Comply With v2 Spec Changes

2024-08-12

598d29f81

Ryan Plas

Merge PR #4893 from @ryanplasma - Update Microsoft references URLS

2024-07-02

1d40f1d20

github-actions[bot]

chore: promote older rules status from `experimental` to `test` (#4651)

2024-01-01

c3fe2da99

Nasreddine Bencherchali

fix: apply typo fix suggestions from code review

2023-02-28

7da6ac665

Nasreddine Bencherchali

fix: issues with CICD

2023-02-28

1353d5748

Nasreddine Bencherchali

feat: more updates and fixes

2023-02-28

137dcbcc5

Qasim Qlf

Update rules/windows/process_creation/proc_creation_win_whoami_priv.yml

2023-02-03

78419eb9c

Qasim Qlf

Update proc_creation_win_whoami_priv.yml

2023-02-03

71c2be550

Nasreddine Bencherchali

chore: add nextron authors tag

2023-02-01

7c38a5c49

frack113

order yaml

2022-10-28

1f8e37351

Nasreddine Bencherchali

Quick Fix

2022-05-13

2e689eca5

Nasreddine Bencherchali

Updated Rules to Use OriginalFileName

2022-05-12

d8a3ca691

frack113

Normalization of rule names

2022-02-22

8bb3379b6

Bhabesh Rai

Merging upstream updates

2021-07-01

206adbb2b

Florian Roth

rule: whoami priv

2021-05-05

80c7899c5