---
action: global
title: Whoami Execution
status: experimental
description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators' 
references:
    - https://twitter.com/haroonmeer/status/939099379834658817
    - https://twitter.com/c_APT_ure/status/939475433711722497
author: Florian Roth
date: 2018/05/22
detection:
    condition: selection
falsepositives: 
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
level: high
---
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        CommandLine: 'whoami'
---
logsource:
    product: windows
    service: security
    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
    selection:
        EventID: 4688
        NewProcessName: '*\whoami.exe'