Whoami Execution by Any Parent Process
Basic detection of whoami.exe execution across all endpoints — one of the most common post-compromise enumeration commands used by attackers to identify current user context after initial access. Ideal for beginner threat hunters and SOC analysts building a baseline of identity enumeration activity in LogScale
EDRwhoamienumerationdiscoverybeginnerpost-compromiseT1033
FDR Beginnerby darkreitor 1 min read
Query
#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)whoami\.exe/
| groupBy([ComputerName, UserName, ParentBaseFileName], function=count(as=whoami_count))
| sort(whoami_count, order=desc, limit=50)Explanation
| Pipe | Descripción |
|---|---|
#repo="base_sensor" #event_simpleName=ProcessRollup2 | Retrieves all process execution events from the Falcon Data Replicator — the primary FDR telemetry stream |
FileName=/(?i)whoami\.exe/ | Matches any execution of whoami.exe — the standard Windows tool for current-user enumeration, consistently used by attackers post-compromise |
groupBy([ComputerName, UserName, ParentBaseFileName], function=count(as=whoami_count)) | Groups by hostname, executing user, and parent process — the parent field is key to distinguishing legitimate admin scripts from attacker shells |
sort(whoami_count, order=desc, limit=50) | Returns top 50 most active hosts and users executing whoami, sorted by frequency for prioritized review |
Adjustable Variables
Add not ParentBaseFileName=/(?i)(cmd\.exe|powershell\.exe)/ combined with a known-good script exclusion to reduce IT automation noise. Raise limit beyond 50 for environment-wide baselining. Combine with a time bucket (bucket(1h)) for temporal analysis during incident response.