Merge pull request #571 from Neo23x0/devel

rule: whoami as local system

rules/windows/process_creation/win_susp_whoami_localsystem.yml

@@ -0,0 +1,22 @@
+title: Whoami as LOCAL_SYSTEM
+id: 1453b1a4-261b-4daf-afe1-2a400a838b5c
+status: experimental
+description: Detects the execution of whoami as LOCAL_SYSTEM, often used after privilege escalation by attackers who want to evaluate the new user context
+author: Florian Roth
+date: 2019/12/22
+tags:
+ - attack.discovery
+ - attack.t1033
+ - car.2016-03-001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|contains: '\whoami.exe'
+ User: 'NT AUTHORITY\SYSTEM' 
+ condition: selection
+falsepositives:
+ - Admin activity
+ - Scripts and administrative tools used in the monitored environment
+level: critical