← Back to Explore
sigmahighHunting
Whoami.EXE Execution From Privileged Process
Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
Detection Query
selection_img:
- OriginalFileName: whoami.exe
- Image|endswith: \whoami.exe
selection_user:
User|contains:
- AUTHORI
- AUTORI
- TrustedInstaller
condition: all of selection_*
Author
Florian Roth (Nextron Systems), Teymur Kheirkhabarov
Created
2022-01-28
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.discoveryattack.t1033
Raw Content
title: Whoami.EXE Execution From Privileged Process
id: 79ce34ca-af29-4d0e-b832-fc1b377020db
related:
- id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
type: obsolete
status: test
description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
date: 2022-01-28
modified: 2023-12-04
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'whoami.exe'
- Image|endswith: '\whoami.exe'
selection_user:
User|contains:
- 'AUTHORI'
- 'AUTORI'
- 'TrustedInstaller'
condition: all of selection_*
falsepositives:
- Unknown
level: high