A newer version is available. For the latest information, see the
current release documentation.
Whoami Process Activity
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Whoami Process Activity
editIdentifies use of whoami.exe which displays user, group, and privileges
information for the user who is currently logged on to the local system.
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Rule version: 1
Added (Elastic Stack release): 7.6.0
Potential false positives
editSome normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual.
Rule query
editprocess.name:whoami.exe and event.code:1
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: System Owner/User Discovery
- ID: T1033
- Reference URL: https://attack.mitre.org/techniques/T1033/