Suspicious Whoami.EXE Execution

Rule Info

Tags
attack.discovery car.2016-03-001 attack.t1033 DEMO
Modified
None
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Name
Suspicious Whoami.EXE Execution
Description
Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use.
Date
2023-02-28 00:00:00
Reference
https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
Id
c30fb093-1109-4dc8-88a8-b30d11c95a5d
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c30fb093-1109-4dc8-88a8-b30d11c95a5d

Rule History

Commit
Date
Author
Title
137dcbcc5
2023-02-28
Nasreddine Bencherchali
feat: more updates and fixes
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022