Process

unknown

whoami.exe

whoami.exe is the command-line tool that reports who the current user is, the account name, its security identifier, the groups it belongs to, and the privileges it holds. Administrators use it to confirm context. Attackers run it as one of the first things after gaining access, to learn whose account and what level of access they have landed with.

CategoryUtilityTagsmicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

whoami.exe prints information from the current process's access token. With no arguments it shows the domain and user name. /groups lists the groups in the token, /priv lists the privileges and whether each is enabled, and /all dumps everything, user, SID, groups, and privileges, at once. The genuine binary lives at C:\Windows\System32\whoami.exe.

Legitimately, whoami appears in logon scripts and interactive admin sessions to confirm which account or privilege level a shell is running under. It only reads token information and changes nothing.

Security notes

whoami is a staple of the first moments after access (T1033). An attacker who lands in a shell runs it to see whose account they hold and, with /priv, whether that token already carries powerful privileges like SeDebugPrivilege or SeImpersonatePrivilege that open a path to escalation. /groups and /all reveal the group memberships that map out what the account can reach (T1069.001).

The command is harmless by itself. What matters is the company it keeps: a whoami launched by a web server or an Office process, or as the first of several discovery commands in quick succession, reads as hands-on-keyboard reconnaissance rather than administration.

Anomaly signals4
  • Image path other than C:\Windows\System32\whoami.exehigh
  • Parent is an Office application, a script host, or a service processhigh
  • whoami /priv or /all run moments after a process startsmed
  • Run as the opening move in a burst of discovery commandsmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof whoami.exe?
Edit this page on GitHub