System User Discovery With Whoami

System User Discovery With Whoami

Description

This analytic looks for the execution of whoami.exe without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage whoami.exe to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery.

   Help

System User Discovery With Whoami Help

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node.

   Search

Open in Search