← Library
splApache-2.0from splunk/security_content

Linux Auditd Whoami User Discovery

The following analytic detects the suspicious use of the whoami command, which may indicate an attacker trying to gather information about the current user account on a compromised system. The whoami command is commonly used to verify user privileges and identity, especially during initial stages of an attack to assess the level of access. By monitoring for unusual or unauthorized executions of whoami, this analytic helps in identifying potential reconnaissance activities, enabling security teams to take action before the attacker escalates privileges or conducts further malicious operations.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_whoami_user_discovery.yml
`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami"
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY comm exe syscall
       uid ppid pid
       dest success
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_whoami_user_discovery_filter`