security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/windows/process_creation/proc_creation_win_whoami_output.yml
T
github-actions[bot] 08c52c367c Merge PR #5027 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
2024-10-01 14:56:09 +02:00

33 lines
1.1 KiB
YAML
Raw Blame History

title: Whoami.EXE Execution With Output Option
id: c30fb093-1109-4dc8-88a8-b30d11c95a5d
status: test
description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
- https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2023-12-04
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection_main_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_main_cli:
CommandLine|contains:
- ' /FO CSV'
- ' -FO CSV'
selection_special:
CommandLine|contains: 'whoami*>'
condition: all of selection_main_* or selection_special
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink