security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Whoami Process Activity (#2224)

Browse Source 
* added Whoami Process Activity

* Update discovery_whoami_command_activity.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Samirbous
2022-08-16 16:26:10 +02:00
committed by GitHub
parent 0f7b29918c
commit 8e0ae64a04
1 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/discovery_whoami_command_activity.toml
+20 -3
View File
@@ -1,12 +1,12 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2022/06/03"
updated_date = "2022/08/03"
[rule]
author = ["Elastic"]
description = """
Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged
Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged
on to the local system.
"""
false_positives = [
@@ -74,7 +74,24 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type in ("start", "process_started") and process.name : "whoami.exe"
process where event.type in ("start", "process_started") and process.name : "whoami.exe" and
(
(/* scoped for whoami execution under system privileges */
(user.domain : ("NT AUTHORITY", "NT-AUTORITÄT", "AUTORITE NT", "IIS APPPOOL") or user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) and
not (process.parent.name : "cmd.exe" and
process.parent.args : ("chcp 437>nul 2>&1 & C:\\WINDOWS\\System32\\whoami.exe /groups",
"chcp 437>nul 2>&1 & %systemroot%\\system32\\whoami /user",
"C:\\WINDOWS\\System32\\whoami.exe /groups",
"*WINDOWS\\system32\\config\\systemprofile*")) and
not (process.parent.executable : "C:\\Windows\\system32\\inetsrv\\appcmd.exe" and process.parent.args : "LIST") and
not process.parent.executable : ("C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe",
"C:\\Program Files\\Cohesity\\cohesity_windows_agent_service.exe")) or
process.parent.name : ("wsmprovhost.exe", "w3wp.exe", "wmiprvse.exe", "rundll32.exe", "regsvr32.exe")
)
'''