Detectionmediumtest
Whoami.EXE Execution Anomaly
Detects the execution of whoami.exe with suspicious parent processes.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Thu Aug 12Updated Thu Mar 068de1cbe8-d6f5-496d-8237-5f44a721c7a0windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic5 selectors
detection:
selection:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
filter_main_known_parents:
# This list can be any legitimate shell or application that you expect whoami to run from
ParentImage|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_optional_ms_monitoring_agent:
ParentImage|endswith: ':\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe'
filter_main_parent_null:
ParentImage: null
filter_main_parent_empty:
ParentImage:
- ''
- '-'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Admin activity
Scripts and administrative tools used in the monitored environment
Monitoring activity
MITRE ATT&CK
Tactics
Techniques
CAR Analytics
2016-03-001 · CAR 2016-03-001
Rule Metadata
Rule ID
8de1cbe8-d6f5-496d-8237-5f44a721c7a0
Status
test
Level
medium
Type
Detection
Created
Thu Aug 12
Modified
Thu Mar 06
Path
rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml
Raw Tags
attack.discoveryattack.t1033car.2016-03-001