What is whoami?
whoami is a command-line utility program for computers. It answers the question, “Who am I logged in as?” and is one of the basic tools included in today’s Windows, Linux, macOS, and Unix operating systems (OSes).
Windows whoami Command
The whoami command became available as a standard part of the Windows operating system with the release of Windows XP Professional and Windows Server 2003. To run this command on current versions of the Windows OS, follow these steps:
- Hold down the Windows Key, and press R to bring up the Run window.
- Type CMD, and then press Enter to open the command prompt.
- At the command prompt, type whoami and then press Enter to view the username.
Linux, macOS, and Unix whoami Command
The whoami command was first introduced in Unix Version 6, which was released in 1975. (Linux and macOS have always included this command in their distributions, given their Unix-based heritage.) To run the whoami command on current versions of macOS and standard versions of the Linux and Unix operating systems, follow these steps:
- Open Terminal.
- Type whoami and press Enter.
Uses for the whoami Command
The whoami utility was first introduced in Unix Version 6, which was released in 1975. This was a time when computers were large and very expensive — and computer terminals were often shared among multiple users. When invoked, the whoami command would display the username for who was logged into the current session.
This function was particularly valuable for system operators (SysOps) who ran computer labs and employees who shared a designated terminal with other employees. It provided a simple way for users to confirm their logged-in identity and verify they were completing tasks under the correct account. In instances when a shared terminal was left on and unattended, for example, the next user could use the command to identify who was logged in. This information made it possible to approach the person, if known, and request them to log off.
whoami was easy to use, and it had an easy-to-remember name. Even today, when computer labs are a thing of the past, and it’s more than likely that each employee has their own computer, whoami is still a helpful troubleshooting tool.
Network administrators and help desk personnel use the utility to confirm they’re logged in with the expected user account. If there are unexpected permissions issues or other user-related problems, this is a quick way to rule out that action isn’t failing simply because the wrong user is attempting it.
Unfortunately, the utility’s simplicity and ability to reveal user details have also made it a popular tool for threat actors.
How Threat Actors Use the whoami Command
At first glance, the whoami utility seems like a basic, innocuous tool – but in the hands of a threat actor, whoami can be a dangerous enumeration tool.
In the context of cybersecurity, enumeration is the second step of an attack. During the first step, reconnaissance, the threat actor gathers as much information as possible about the target system without directly interacting with it. During the second step, enumeration, the attacker begins to directly interact with the target system to gather information.
Enumeration is a critical phase in the attack chain. It allows the attacker to orient themselves within a new environment and make strategic decisions about their next move. whoami can be a handy tool for this step.
Here is how an attacker who has been able to successfully compromise a Windows machine on a corporate network might use whoami to probe for additional attack vectors:
- Use whoami to see what account they have compromised.
- Use whoami /priv to see what privileges the account has.
- Use whoami /groups to determine what security groups the account belongs to.
If an attacker is not concerned about detection, they could even use whoami /all to get a more comprehensive view of the account they have compromised. This would tell them:
- The current user’s SID (Security Identifier).
- The user’s name and the domain to which they belong.
- The security groups the current user is a member of.
- The SIDs for each group.
- The attributes associated with group memberships.
- Privileges that are enabled or disabled during the current user session.
- The unique identifier for the user’s current logon session.
One the malicious actor knows who they have compromised, they can move forward with their attack. If they’ve compromised a low-privilege user, they might start looking for privilege escalation vulnerabilities. On the other hand, if they’ve compromised a high-privilege user, they might start looking for valuable data to steal or probe for ways to move laterally in the network.
Many Information and Communications Technology (ICT) departments create usernames that follow the same pattern for the sake of simplicity and standardization. Once the attacker knows one username through whoami, they can use the naming convention to predict other usernames. This, along with a little research on the internet, can make it easier to conduct phishing attacks.
Unfortunately, if an intruder is able to run whoami, it indicates they already have some level of unauthorized access. To prevent whoami from being used for malicious purposes, ICT administrators should consider taking the following steps:
- Use security mechanisms to restrict the execution of whoami based on user role.
- Monitor system logs for frequent use of whoami or unexpected use of the command from new locations and/or time zones.
- Isolate virtual LANs (VLANs) based on user requirements to limit attack surfaces.