← Back to Explore
sigmamediumHunting
Whoami.EXE Execution With Output Option
Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
Detection Query
selection_main_img:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe
selection_main_cli:
CommandLine|contains:
- " /FO CSV"
- " -FO CSV"
selection_special:
CommandLine|contains: whoami*>
condition: all of selection_main_* or selection_special
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2023-02-28
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.discoveryattack.t1033car.2016-03-001
Raw Content
title: Whoami.EXE Execution With Output Option
id: c30fb093-1109-4dc8-88a8-b30d11c95a5d
status: test
description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
- https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2023-12-04
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection_main_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_main_cli:
CommandLine|contains:
- ' /FO CSV'
- ' -FO CSV'
selection_special:
CommandLine|contains: 'whoami*>'
condition: all of selection_main_* or selection_special
falsepositives:
- Unknown
level: medium