diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index e64f31380..1a3ee7046 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/06/03" +updated_date = "2022/08/03" [rule] author = ["Elastic"] description = """ -Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged +Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system. """ false_positives = [ @@ -74,7 +74,24 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and process.name : "whoami.exe" +process where event.type in ("start", "process_started") and process.name : "whoami.exe" and +( + + (/* scoped for whoami execution under system privileges */ + (user.domain : ("NT AUTHORITY", "NT-AUTORITÄT", "AUTORITE NT", "IIS APPPOOL") or user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) and + + not (process.parent.name : "cmd.exe" and + process.parent.args : ("chcp 437>nul 2>&1 & C:\\WINDOWS\\System32\\whoami.exe /groups", + "chcp 437>nul 2>&1 & %systemroot%\\system32\\whoami /user", + "C:\\WINDOWS\\System32\\whoami.exe /groups", + "*WINDOWS\\system32\\config\\systemprofile*")) and + not (process.parent.executable : "C:\\Windows\\system32\\inetsrv\\appcmd.exe" and process.parent.args : "LIST") and + not process.parent.executable : ("C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", + "C:\\Program Files\\Cohesity\\cohesity_windows_agent_service.exe")) or + + process.parent.name : ("wsmprovhost.exe", "w3wp.exe", "wmiprvse.exe", "rundll32.exe", "regsvr32.exe") + +) '''