whoami.exeSYSTEM UTILITYwhoami.exe - User Identity Discovery Security Analysis
whoami.exe displays **current user and privilege information**. While simple, it is a **universal reconnaissance command** run by nearly every attacker immediately after gaining access. whoami execution, especially with /all, /priv, or /groups flags, is a **strong indicator of compromise** in automated or malicious contexts.
Risk Summary
MEDIUM priority for SOC triage. whoami.exe is run by virtually every attacker post-compromise. Execution from unusual parents (webshells, services) or with /priv /all flags warrants investigation. Correlate with other reconnaissance commands.
Overview
What is whoami.exe?
whoami.exe displays current user identity and privilege information.
Core Functions
Identity Information:
- Current username
- Group memberships
- Privileges
- Security identifiers (SIDs)
Security Significance
- Universal Recon: First command run post-compromise
- Privilege Assessment: Attackers check their privileges
- Group Discovery: Identify admin group membership
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\whoami.exe |
| Parent | cmd.exe, powershell.exe |
| User | Logged-in user |
| Context | Command-line use |
Normal Usage
whoami
Common Locations
C:\Windows\System32\whoami.exeC:\Windows\SysWOW64\whoami.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Command: whoami (simple)
Parent: cmd.exe (user terminal)
Context: User checking identity
Frequency: Occasional
SUSPICIOUS
Command: whoami /all
whoami /priv
whoami /groups
Parent: w3wp.exe (webshell!)
services.exe
unusual parent
Context: After initial access
Part of command sequence
Suspicious Patterns
| Pattern | Risk |
|---|---|
| whoami from webshell | CRITICAL |
| whoami /priv /all | HIGH |
| whoami in script chain | HIGH |
| Multiple whoami rapidly | MEDIUM |
Abuse Techniques
Attack Techniques
Technique #1: Initial Reconnaissance (T1033)
First Command Post-Compromise:
whoami
whoami /all
Technique #2: Privilege Assessment (T1033)
Check for Privilege Escalation Potential:
whoami /priv
:: Attackers look for SeDebugPrivilege, SeImpersonatePrivilege
Technique #3: Group Enumeration (T1069.001)
whoami /groups
:: Check for admin group membership
Webshell Pattern
w3wp.exe → cmd.exe → whoami
Detection Guidance
Detection Strategies
Priority #1: Unusual Parent Process
Process = "whoami.exe" AND
Parent IN ["w3wp.exe", "httpd.exe", "java.exe", "services.exe"]
→ ALERT: CRITICAL - Possible webshell/compromise
Priority #2: Privilege Enumeration
Process = "whoami.exe" AND
CommandLine CONTAINS ["/priv", "/all", "/groups"]
→ ALERT: HIGH - Privilege reconnaissance
Priority #3: Correlation
whoami.exe followed by net.exe, systeminfo.exe within 60 seconds
→ ALERT: HIGH - Reconnaissance chain
Sigma Rule:
title: Whoami from Suspicious Parent
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\whoami.exe'
ParentImage|endswith:
- '\w3wp.exe'
- '\httpd.exe'
- '\tomcat*.exe'
condition: selection
level: critical
Remediation Steps
Protection and Remediation
Defense: Monitor Execution Context
Alert on whoami from web server processes.
If Reconnaissance Detected
- Identify parent process
- Check for webshell indicators
- Review subsequent commands
- Assess privilege level obtained
- Investigate initial access vector
- Contain and remediate
Investigation Checklist
Investigation Checklist
- Identify parent process
- Check for unusual execution context
- Review command line flags
- Check subsequent commands
- Look for webshell indicators
- Assess what privileges were revealed
- Correlate with other recon activity