Group Membership Reconnaissance Via Whoami.EXE

Rule Info

Name
Group Membership Reconnaissance Via Whoami.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
Reference
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
Date
2023-02-28 00:00:00
Modified
None
Id
bd8b828d-0dca-48e1-8a63-8a58ecf2644f
Tags
attack.discovery attack.t1033 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=bd8b828d-0dca-48e1-8a63-8a58ecf2644f

Rule History

Author
Title
Date
Commit
Ryan Plas
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02
1d40f1d20
github-actions[bot]
chore: promote older rules status from `experimental` to `test` (#4651)
2024-01-01
c3fe2da99
Nasreddine Bencherchali
fix: apply typo fix suggestions from code review
2023-02-28
7da6ac665
Nasreddine Bencherchali
fix: issues with CICD
2023-02-28
1353d5748
Nasreddine Bencherchali
feat: more updates and fixes
2023-02-28
137dcbcc5
Qasim Qlf
Update rules/windows/process_creation/proc_creation_win_whoami_priv.yml
2023-02-03
78419eb9c
Qasim Qlf
Update proc_creation_win_whoami_priv.yml
2023-02-03
71c2be550
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
frack113
order yaml
2022-10-28
1f8e37351
Nasreddine Bencherchali
Quick Fix
2022-05-13
2e689eca5
Nasreddine Bencherchali
Updated Rules to Use OriginalFileName
2022-05-12
d8a3ca691
frack113
Normalization of rule names
2022-02-22
8bb3379b6
Bhabesh Rai
Merging upstream updates
2021-07-01
206adbb2b
Florian Roth
rule: whoami priv
2021-05-05
80c7899c5
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022