LoFP / security testing tools and frameworks may run this command. some normal use of this command may originate from automation tools and frameworks.

Techniques

• T1033

Sample rules

User Discovery via Whoami

• source: elastic
• technicques:
  • T1033

Description

The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.

Detection logic

event.category:process and event.type:(start or process_started) and process.name:whoami