From bd0a2a1b9fc2e6bb9eba75df0b3684e9d31d9fa8 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 12 Aug 2021 13:27:51 +0200
Subject: [PATCH] rule: renamed whoami

---
 .../process_creation/win_renamed_whoami.yml   | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/windows/process_creation/win_renamed_whoami.yml

diff --git a/rules/windows/process_creation/win_renamed_whoami.yml b/rules/windows/process_creation/win_renamed_whoami.yml
new file mode 100644
index 000000000..25cd21fc1
--- /dev/null
+++ b/rules/windows/process_creation/win_renamed_whoami.yml
@@ -0,0 +1,25 @@
+title: Renamed Whoami Execution
+id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
+status: experimental
+description: Detects the execution of whoami that has been renamed to a different name to avoid detection
+references:
+    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
+    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
+author: Florian Roth
+date: 2021/08/12
+tags:
+    - attack.discovery
+    - attack.t1033
+    - car.2016-03-001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        OriginalFileName: 'whoami.exe'
+    filter:
+        Image|endswith: '\whoami.exe'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: critical