Security Privileges Enumeration Via Whoami.EXE (97a80ec7-0e2f-4d05-9ef4-65760e634f6b)
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) | Attack Pattern | Security Privileges Enumeration Via Whoami.EXE (97a80ec7-0e2f-4d05-9ef4-65760e634f6b) | Sigma-Rules | 1 |