{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/cohesity/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Monitoring Agent","Cohesity Windows Agent"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cohesity"],"content_html":"\u003cp\u003eThe \u003ccode\u003ewhoami\u003c/code\u003e utility is commonly used by attackers post-compromise to gather information about the current user and their privileges on a compromised system. This information helps attackers assess their level of access and plan further actions within the environment, such as privilege escalation or lateral movement. This activity is most concerning when executed by SYSTEM accounts or from unusual parent processes. This detection identifies unusual or suspicious executions of \u003ccode\u003ewhoami.exe\u003c/code\u003e, especially when associated with system privileges or specific parent processes known to be abused by attackers. The rule is designed to function across various Windows environments and considers potential false positives from legitimate administrative tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the Windows system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker may attempt to elevate privileges to a higher level, potentially SYSTEM.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker executes \u003ccode\u003ewhoami.exe\u003c/code\u003e to determine the current user and their privileges.\u003c/li\u003e\n\u003cli\u003eInformation Gathering: The attacker analyzes the output of \u003ccode\u003ewhoami.exe\u003c/code\u003e to understand the context of the compromised system.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Conditional): Based on the information gathered, the attacker may attempt to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eFurther Exploitation: The attacker leverages the gathered information to further exploit the compromised system or network.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker may establish persistence to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eObjective Completion: The attacker achieves their final objective, such as data exfiltration or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and reconnaissance can allow attackers to gain a deeper understanding of a compromised system. This may lead to further exploitation, lateral movement, and ultimately, the exfiltration of sensitive data or the disruption of critical services. While the \u003ccode\u003ewhoami\u003c/code\u003e command itself is not inherently malicious, its suspicious usage often indicates malicious activity within a compromised environment. The severity is low because the execution of whoami by itself is not enough to confirm malicious activity, and further investigation is needed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to detect \u003ccode\u003ewhoami.exe\u003c/code\u003e executions (reference: logs-endpoint.events.process-*, logs-system.security*, logs-windows.forwarded*, logs-windows.sysmon_operational-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Whoami Process Activity\u0026rdquo; to your SIEM and tune for your environment (reference: rule).\u003c/li\u003e\n\u003cli\u003eInvestigate parent processes of \u003ccode\u003ewhoami.exe\u003c/code\u003e for any suspicious or unusual activity (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor for other discovery commands executed around the same time as \u003ccode\u003ewhoami.exe\u003c/code\u003e (reference: Related rules).\u003c/li\u003e\n\u003cli\u003eReview and tune the false positives outlined in the rule to minimize noise (reference: false_positives).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-whoami-discovery/","summary":"This rule detects suspicious use of whoami.exe to display user, group, and privileges information for the user who is currently logged on to the local system, potentially indicating post-compromise discovery activity.","title":"Suspicious Whoami Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-whoami-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed — Cohesity","version":"https://jsonfeed.org/version/1.1"}