Basic whoami.exe Execution Monitor
Simple query to detect any whoami.exe execution on endpoints, a tool frequently used as the first command by attackers after gaining initial access to verify user context and privileges, referenced in multiple APT profiles including APT3 and APT28
EDRwhoamidiscoverybeginnerinitial-accessT1033
FDR Beginnerby CQL Hub 1 min read
Query
#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)\\whoami\.exe$/
| select([timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName])
| sort(timestamp, order=desc, limit=100)Explanation
| Pipe | Descripción |
|---|---|
#repo="base_sensor" #event_simpleName=ProcessRollup2 | Filtra eventos de creacion de procesos del repositorio FDR de sensores Falcon |
FileName=/(?i)\\whoami\.exe$/ | Selecciona ejecuciones del comando whoami.exe sin importar mayusculas o ruta completa |
select([timestamp, ComputerName, ...]) | Selecciona los campos mas relevantes para el analisis: hora, host, usuario, comando y proceso padre |
sort(timestamp, order=desc, limit=100) | Ordena por los eventos mas recientes y limita a los ultimos 100 para revision rapida |
Adjustable Variables
limit=100: ajustar segun volumen del entorno (subir a 500 para busquedas mas amplias). Agregar filtro de tiempo con ventana especifica si se investiga un incidente puntual. Anadir ParentBaseFileName!=/(?i)explorer\.exe/ para excluir uso interactivo legitimo.