Merge pull request #571 from Neo23x0/devel

rule: whoami as local system

rules/windows/process_creation/win_susp_whoami_localsystem.yml

@@ -0,0 +1,22 @@
+title: Whoami as LOCAL_SYSTEM
+id: 1453b1a4-261b-4daf-afe1-2a400a838b5c
+status: experimental
+description: Detects the execution of whoami as LOCAL_SYSTEM, often used after privilege escalation by attackers who want to evaluate the new user context
+author: Florian Roth
+date: 2019/12/22
+tags:
+    - attack.discovery
+    - attack.t1033
+    - car.2016-03-001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|contains: '\whoami.exe'
+        User: 'NT AUTHORITY\SYSTEM' 
+    condition: selection
+falsepositives:
+    - Admin activity
+    - Scripts and administrative tools used in the monitored environment
+level: critical