WhoAmI as Parameter (e9142d84-fbe0-401d-ac50-3e519fb00c89)
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) | Attack Pattern | WhoAmI as Parameter (e9142d84-fbe0-401d-ac50-3e519fb00c89) | Sigma-Rules | 1 |