Group Membership Reconnaissance Via Whoami.EXE (bd8b828d-0dca-48e1-8a63-8a58ecf2644f)
Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Group Membership Reconnaissance Via Whoami.EXE (bd8b828d-0dca-48e1-8a63-8a58ecf2644f) | Sigma-Rules | System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) | Attack Pattern | 1 |