Group Membership Reconnaissance Via Whoami.EXE

Rule Info

Tags
attack.discovery DEMO attack.t1033
Modified
None
Author
Nasreddine Bencherchali (Nextron Systems)
Name
Group Membership Reconnaissance Via Whoami.EXE
Description
Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
Date
2023-02-28 00:00:00
Reference
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
Id
bd8b828d-0dca-48e1-8a63-8a58ecf2644f
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=bd8b828d-0dca-48e1-8a63-8a58ecf2644f

Rule History

Commit
Date
Author
Title
7da6ac665
2023-02-28
Nasreddine Bencherchali
fix: apply typo fix suggestions from code review
1353d5748
2023-02-28
Nasreddine Bencherchali
fix: issues with CICD
137dcbcc5
2023-02-28
Nasreddine Bencherchali
feat: more updates and fixes
78419eb9c
2023-02-03
Qasim Qlf
Update rules/windows/process_creation/proc_creation_win_whoami_priv.yml
71c2be550
2023-02-03
Qasim Qlf
Update proc_creation_win_whoami_priv.yml
7c38a5c49
2023-02-01
Nasreddine Bencherchali
chore: add nextron authors tag
1f8e37351
2022-10-28
frack113
order yaml
2e689eca5
2022-05-13
Nasreddine Bencherchali
Quick Fix
d8a3ca691
2022-05-12
Nasreddine Bencherchali
Updated Rules to Use OriginalFileName
8bb3379b6
2022-02-22
frack113
Normalization of rule names
206adbb2b
2021-07-01
Bhabesh Rai
Merging upstream updates
80c7899c5
2021-05-05
Florian Roth
rule: whoami priv
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022