Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects the execution of whoami that has been renamed to a different name to avoid detection
status testauthor Florian Roth (Nextron Systems)id f1086bf7-a0c4-4a37-9102-01e573caf4a0
view Sigma YAML
title: Renamed Whoami Execution
id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
status: test
description: Detects the execution of whoami that has been renamed to a different name to avoid detection
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
author: Florian Roth (Nextron Systems)
date: 2021-08-12
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'whoami.exe'
filter:
Image|endswith: '\whoami.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
high
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
status testauthor Florian Roth (Nextron Systems), MSTI (query)id fa3c117a-bc0d-416e-a31b-0c0e80653efb
view Sigma YAML
title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), MSTI (query)
date: 2022-10-01
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_origin:
- Image|endswith: '\w3wp.exe'
- ParentImage|endswith: '\w3wp.exe'
selection_cmdline:
CommandLine|contains:
- '&ipconfig&echo'
- '&quser&echo'
- '&whoami&echo'
- '&c:&echo'
- '&cd&echo'
- '&dir&echo'
- '&echo [E]'
- '&echo [S]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
HackTool - SharpLdapWhoami Execution
Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
status testauthor Florian Roth (Nextron Systems)id d9367cbb-c2e0-47ce-bdc0-128cb6da898d
view Sigma YAML
title: HackTool - SharpLdapWhoami Execution
id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d
status: test
description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
references:
- https://github.com/bugch3ck/SharpLdapWhoami
author: Florian Roth (Nextron Systems)
date: 2022-08-29
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection_name:
Image|endswith: '\SharpLdapWhoami.exe'
selection_pe: # in case the file has been renamed after compilation
- OriginalFileName|contains: 'SharpLdapWhoami'
- Product: 'SharpLdapWhoami'
selection_flags1:
CommandLine|endswith:
- ' /method:ntlm'
- ' /method:kerb'
- ' /method:nego'
- ' /m:nego'
- ' /m:ntlm'
- ' /m:kerb'
condition: 1 of selection*
falsepositives:
- Programs that use the same command line flags
level: high
high
HackTool - SharpView Execution
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
status testauthor frack113id b2317cfa-4a47-4ead-b3ff-297438c0bc2d
Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
status testauthor Sagie Dulce, Dekel Pazid 56fda488-113e-4ce9-8076-afc2457922c3
view Sigma YAML
title: Possible DCSync Attack
id: 56fda488-113e-4ce9-8076-afc2457922c3
status: test
description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1033
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
filter:
OpNum:
- 0
- 1
- 12
condition: selection and not filter
falsepositives:
- Unknown
level: high
high
Security Privileges Enumeration Via Whoami.EXE
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
status testauthor Florian Roth (Nextron Systems)id 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
view Sigma YAML
title: Security Privileges Enumeration Via Whoami.EXE
id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
status: test
description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
author: Florian Roth (Nextron Systems)
date: 2021-05-05
modified: 2023-02-28
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_cli:
CommandLine|contains:
- ' /priv'
- ' -priv'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
SharpHound Recon Sessions
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
status testauthor Sagie Dulce, Dekel Pazid 6d580420-ff3f-4e0e-b6b0-41b90c787e28
view Sigma YAML
title: SharpHound Recon Sessions
id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
- attack.t1033
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
OpNum: 12
condition: selection
falsepositives:
- Unknown
level: high
high
Webshell Detection With Command Line Keywords
Detects certain command line parameters often used during reconnaissance activity via web shells
status testauthor Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Andersonid bed2a484-9348-4143-8a8a-b801c979301c
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
status testauthor Florian Roth (Nextron Systems)id 4ebc877f-4612-45cb-b3a5-8e3834db36c9
view Sigma YAML
title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
- https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
# Webserver
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'catalina.jar'
- 'CATALINA_HOME'
# Suspicious child processes
selection_child_1:
# Process dumping
CommandLine|contains|all:
- 'rundll32'
- 'comsvcs'
selection_child_2:
# Winrar exfil
CommandLine|contains|all:
- ' -hp'
- ' a '
- ' -m'
selection_child_3:
# User add
CommandLine|contains|all:
- 'net'
- ' user '
- ' /add'
selection_child_4:
CommandLine|contains|all:
- 'net'
- ' localgroup '
- ' administrators '
- '/add'
selection_child_5:
Image|endswith:
# Credential stealing
- '\ntdsutil.exe'
# AD recon
- '\ldifde.exe'
- '\adfind.exe'
# Process dumping
- '\procdump.exe'
- '\Nanodump.exe'
# Destruction / ransom groups
- '\vssadmin.exe'
- '\fsutil.exe'
selection_child_6:
# SUspicious patterns
CommandLine|contains:
- ' -decode ' # Used with certutil
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' /decode ' # Used with certutil
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- '.dmp full' # Process dumping method apart from procdump
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- 'FromBase64String' # PowerShell encoded payload
- 'process call create' # WMIC process creation
- 'reg save ' # save registry SAM - syskey extraction
- 'whoami /priv'
condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
high
WhoAmI as Parameter
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
status testauthor Florian Roth (Nextron Systems)id e9142d84-fbe0-401d-ac50-3e519fb00c89
view Sigma YAML
title: WhoAmI as Parameter
id: e9142d84-fbe0-401d-ac50-3e519fb00c89
status: test
description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
references:
- https://twitter.com/blackarrowsec/status/1463805700602224645?s=12
author: Florian Roth (Nextron Systems)
date: 2021-11-29
modified: 2022-12-25
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '.exe whoami'
condition: selection
falsepositives:
- Unknown
level: high
high
Whoami.EXE Execution From Privileged Process
Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
status testauthor Florian Roth (Nextron Systems), Teymur Kheirkhabarovid 79ce34ca-af29-4d0e-b832-fc1b377020db
view Sigma YAML
title: Whoami.EXE Execution From Privileged Process
id: 79ce34ca-af29-4d0e-b832-fc1b377020db
related:
- id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
type: obsolete
status: test
description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
date: 2022-01-28
modified: 2023-12-04
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'whoami.exe'
- Image|endswith: '\whoami.exe'
selection_user:
User|contains:
- 'AUTHORI'
- 'AUTORI'
- 'TrustedInstaller'
condition: all of selection_*
falsepositives:
- Unknown
level: high
medium
Computer Discovery And Export Via Get-ADComputer Cmdlet
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
status testauthor Nasreddine Bencherchali (Nextron Systems)id 435e10e4-992a-4281-96f3-38b11106adde
view Sigma YAML
title: Computer Discovery And Export Via Get-ADComputer Cmdlet
id: 435e10e4-992a-4281-96f3-38b11106adde
related:
- id: db885529-903f-4c5d-9864-28fe199e6370
type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
CommandLine|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: all of selection_*
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
medium
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
status testauthor Nasreddine Bencherchali (Nextron Systems)id db885529-903f-4c5d-9864-28fe199e6370
view Sigma YAML
title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
id: db885529-903f-4c5d-9864-28fe199e6370
related:
- id: 435e10e4-992a-4281-96f3-38b11106adde
type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
ScriptBlockText|contains:
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selection
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
medium
ESXi Network Configuration Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
status testauthor Cedric Maurugeonid 33e814e0-1f00-4e43-9c34-31fb7ae2b174
view Sigma YAML
title: ESXi Network Configuration Discovery Via ESXCLI
id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
status: test
description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'network'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
medium
ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
status testauthor Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeonid f41dada5-3f56-4232-8503-3fb7f9cf2d60
view Sigma YAML
title: ESXi Storage Information Discovery Via ESXCLI
id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
status: test
description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'storage'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
medium
ESXi System Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
status testauthor Cedric Maurugeonid e80273e1-9faf-40bc-bd85-dbaff104c4e9
view Sigma YAML
title: ESXi System Information Discovery Via ESXCLI
id: e80273e1-9faf-40bc-bd85-dbaff104c4e9
status: test
description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: medium
medium
ESXi VM List Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
status testauthor Cedric Maurugeonid 5f1573a7-363b-4114-9208-ad7a61de46eb
view Sigma YAML
title: ESXi VM List Discovery Via ESXCLI
id: 5f1573a7-363b-4114-9208-ad7a61de46eb
status: test
description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'vm process'
CommandLine|endswith: ' list'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
medium
ESXi VSAN Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
status testauthor Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeonid d54c2f06-aca9-4e2b-81c9-5317858f4b79
view Sigma YAML
title: ESXi VSAN Information Discovery Via ESXCLI
id: d54c2f06-aca9-4e2b-81c9-5317858f4b79
status: test
description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'vsan'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
medium
Enumerate All Information With Whoami.EXE
Detects the execution of "whoami.exe" with the "/all" flag
title: Enumerate All Information With Whoami.EXE
id: c248c896-e412-4279-8c15-1c558067b6fa
status: test
description: Detects the execution of "whoami.exe" with the "/all" flag
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
- https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-04
modified: 2024-03-05
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection_main_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_main_cli:
CommandLine|contains|windash: ' -all'
condition: all of selection_main_*
falsepositives:
- Unknown
level: medium
medium
Get-ADUser Enumeration Using UserAccountControl Flags
Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
status testauthor frack113id 96c982fe-3d08-4df4-bed2-eb14e02f21c8
view Sigma YAML
title: Get-ADUser Enumeration Using UserAccountControl Flags
id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8
status: test
description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting
- https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/
author: frack113
date: 2022-03-17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
# 4194304 DONT_REQ_PREAUTH
ScriptBlockText|contains|all:
- 'Get-ADUser'
- '-Filter'
- 'useraccountcontrol'
- '-band'
- '4194304'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
medium
Group Membership Reconnaissance Via Whoami.EXE
Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
status testauthor Nasreddine Bencherchali (Nextron Systems)id bd8b828d-0dca-48e1-8a63-8a58ecf2644f
view Sigma YAML
title: Group Membership Reconnaissance Via Whoami.EXE
id: bd8b828d-0dca-48e1-8a63-8a58ecf2644f
status: test
description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_cli:
CommandLine|contains:
- ' /groups'
- ' -groups'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
User Discovery And Export Via Get-ADUser Cmdlet
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
status testauthor Nasreddine Bencherchali (Nextron Systems)id 1114e048-b69c-4f41-bc20-657245ae6e3f
view Sigma YAML
title: User Discovery And Export Via Get-ADUser Cmdlet
id: 1114e048-b69c-4f41-bc20-657245ae6e3f
related:
- id: c2993223-6da8-4b1a-88ee-668b8bf315e9
type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'Get-ADUser '
- ' -Filter \*'
CommandLine|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: all of selection_*
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
medium
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
status testauthor Nasreddine Bencherchali (Nextron Systems)id c2993223-6da8-4b1a-88ee-668b8bf315e9
view Sigma YAML
title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
id: c2993223-6da8-4b1a-88ee-668b8bf315e9
related:
- id: 1114e048-b69c-4f41-bc20-657245ae6e3f
type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADUser '
- ' -Filter \*'
ScriptBlockText|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selection
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
medium
Whoami.EXE Execution Anomaly
Detects the execution of whoami.exe with suspicious parent processes.
status testauthor Florian Roth (Nextron Systems)id 8de1cbe8-d6f5-496d-8237-5f44a721c7a0
view Sigma YAML
title: Whoami.EXE Execution Anomaly
id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0
status: test
description: Detects the execution of whoami.exe with suspicious parent processes.
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
- https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems)
date: 2021-08-12
modified: 2025-03-06
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
filter_main_known_parents:
# This list can be any legitimate shell or application that you expect whoami to run from
ParentImage|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_optional_ms_monitoring_agent:
ParentImage|endswith: ':\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe'
filter_main_parent_null:
ParentImage: null
filter_main_parent_empty:
ParentImage:
- ''
- '-'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: medium
medium
Whoami.EXE Execution With Output Option
Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
title: Whoami.EXE Execution With Output Option
id: c30fb093-1109-4dc8-88a8-b30d11c95a5d
status: test
description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
- https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2023-12-04
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection_main_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_main_cli:
CommandLine|contains:
- ' /FO CSV'
- ' -FO CSV'
selection_special:
CommandLine|contains: 'whoami*>'
condition: all of selection_main_* or selection_special
falsepositives:
- Unknown
level: medium
low
Cisco Discovery
Find information about network devices that is not stored in config files
status testauthor Austin Clarkid 9705a6a1-6db6-4a16-a987-15b7151e299b
view Sigma YAML
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
- https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.discovery
- attack.t1083
- attack.t1201
- attack.t1057
- attack.t1018
- attack.t1082
- attack.t1016
- attack.t1049
- attack.t1033
- attack.t1124
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'dir'
- 'show arp'
- 'show cdp'
- 'show clock'
- 'show ip interface'
- 'show ip route'
- 'show ip sockets'
- 'show processes'
- 'show ssh'
- 'show users'
- 'show version'
condition: keywords
falsepositives:
- Commonly used by administrators for troubleshooting
level: low
low
Local Accounts Discovery
Local accounts, System Owner/User discovery using operating systems utilities
status testauthor Timur Zinniatullin, Daniil Yugoslavskiy, oscd.communityid 502b42de-4306-40b4-9596-6f590c81f073
view Sigma YAML
title: Local Accounts Discovery
id: 502b42de-4306-40b4-9596-6f590c81f073
status: test
related:
- id: e28a5a99-da44-436d-b7a0-2afc20a5f413 # Whoami Utility Execution
type: obsolete
description: Local accounts, System Owner/User discovery using operating systems utilities
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019-10-21
modified: 2025-10-20
tags:
- attack.discovery
- attack.t1033
- attack.t1087.001
logsource:
category: process_creation
product: windows
detection:
selection_other_img:
- Image|endswith:
- '\whoami.exe'
- '\quser.exe'
- '\qwinsta.exe'
- OriginalFileName:
- 'whoami.exe'
- 'quser.exe'
- 'qwinsta.exe'
selection_other_wmi:
Image|endswith: '\wmic.exe'
CommandLine|contains|all:
- 'useraccount'
- 'get'
selection_other_cmdkey:
Image|endswith: '\cmdkey.exe'
CommandLine|contains: ' /l'
selection_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- ' /c'
- 'dir '
- '\Users\'
filter_cmd:
CommandLine|contains: ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005"
selection_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'user'
filter_net:
CommandLine|contains:
- '/domain' # local account discovery only
- '/add' # discovery only
- '/delete' # discovery only
- '/active' # discovery only
- '/expires' # discovery only
- '/passwordreq' # discovery only
- '/scriptpath' # discovery only
- '/times' # discovery only
- '/workstations' # discovery only
condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*
falsepositives:
- Legitimate administrator or user enumerates local users for legitimate reason
level: low
low
Suspicious PowerShell Get Current User
Detects the use of PowerShell to identify the current logged user.
status testauthor frack113id 4096a49c-7de4-4da0-a230-c66ccd56ea5a
view Sigma YAML
title: Suspicious PowerShell Get Current User
id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
status: test
description: Detects the use of PowerShell to identify the current logged user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script
author: frack113
date: 2022-04-04
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- '[System.Environment]::UserName'
- '$env:UserName'
- '[System.Security.Principal.WindowsIdentity]::GetCurrent()'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: low
low
System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
status testauthor Timur Zinniatullin, oscd.communityid 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
view Sigma YAML
title: System Owner or User Discovery - Linux
id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
status: test
description: |
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2025-06-04
tags:
- attack.discovery
- attack.t1033
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0:
- 'hostname'
- 'id'
- 'last'
- 'uname'
- 'users'
- 'w'
- 'who'
- 'whoami'
condition: selection
falsepositives:
- Admin activity
level: low