Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Whoami.EXE Execution With Output Option

Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Tue Feb 28Updated Mon Dec 04c30fb093-1109-4dc8-88a8-b30d11c95a5dwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_main_img:
        - Image|endswith: '\whoami.exe'
        - OriginalFileName: 'whoami.exe'
    selection_main_cli:
        CommandLine|contains:
            - ' /FO CSV'
            - ' -FO CSV'
    selection_special:
        CommandLine|contains: 'whoami*>'
    condition: all of selection_main_* or selection_special
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
brica.de
2
Resolving title…
app.any.run
3
Resolving title…
youtube.com
MITRE ATT&CK

CAR Analytics

2016-03-001 · CAR 2016-03-001
Rule Metadata
Rule ID
c30fb093-1109-4dc8-88a8-b30d11c95a5d
Status
test
Level
medium
Type
Detection
Created
Tue Feb 28
Modified
Mon Dec 04
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_whoami_output.yml
Raw Tags
attack.discoveryattack.t1033car.2016-03-001
View on GitHub