Category Archives: Preaching

Who am I? Asking for my file friend: whoami.exe…

Posted on by

There is a lot talk about whoami.exe recently, so here’s one more post about it…

When we talk about whoami.exe we often think of it in ‘atomic’ terms. You run it, and you get the results. But by doing so we assume a lot i.e. we kinda indirectly know that we are talking about the executable located in this place:

  • c:\windows\system32\whoami.exe

Of course, some of us know that there is also a 32-bit version on the 64-bit OS:

  • c:\windows\SysWOW64\whoami.exe

and then a bunch of copies in WinSxS directory (file names are versioned):

  • c:\Windows\WinSxS\amd64_microsoft-windows-whoami_31bf3856ad364e35_10.0.19041.1_none_846d8bda2133af3c\whoami.exe
  • c:\Windows\WinSxS\wow64_microsoft-windows-whoami_31bf3856ad364e35_10.0.19041.1_none_8ec2362c55947137\whoami.exe
  • c:\Windows\WinSxS\amd64_microsoft-windows-whoami_31bf3856ad364e35_10.0.22621.1_none_30124a0a75945900\whoami.exe
  • c:\Windows\WinSxS\wow64_microsoft-windows-whoami_31bf3856ad364e35_10.0.22621.1_none_3a66f45ca9f51afb\whoami.exe

And of course, we can reveal the hard links for each of these tools using fsutil:

  • fsutil.exe hardlink list c:\windows\System32\whoami.exe
  • fsutil.exe hardlink list c:\windows\SysWOW64\whoami.exe

Plus, on Windows Arm, we have:

  • c:\Windows\SysArm32\whoami.exe

and respective WinSxS directory (file names are versioned):

  • c:\Windows\WinSxS\arm64.arm_microsoft-windows-whoami_31bf3856ad364e35_10.0.22598.1_none_d3774312fcf7fb69\whoami.exe
  • c:\Windows\WinSxS\arm64.x86_microsoft-windows-whoami_31bf3856ad364e35_10.0.22598.1_none_d37c245afcf28323\whoami.exe
  • c:\Windows\WinSxS\arm64_microsoft-windows-whoami_31bf3856ad364e35_10.0.22598.1_none_2de72d3c78a075fb\whoami.exe

But there is more…

If you ever installed cygwin, you probably know of:

  • c:\Cygwin\bin\whoami.exe
  • c:\Cygwin64\bin\whoami.exe

There is also GIT for Windows that installs a lot of windows-friendly Unix tools including, yes, you guessed right, whoami.exe:

  • c:\Program Files\Git\usr\bin\whoami.exe

At this stage, you probably are aware that Program Files is a nightmare as it occurs in many architecture-specific forms, and many localized versions.

You must be thinking now – this thing is multiplying quickly and spreading faster than covid!

But this is not THE END. There really is more.

A Pro version of software called System Scheduler installs the following whoami.exe file:

  • c:\Program Files (x86)\SystemScheduler\WhoAmI.exe

It is probably the first ever whoami.exe I have ever seen that shows the user info on GUI – as a message box šŸ™‚

Then comes another contender, a tool called MacroCommanderPro:

  • c:\Program Files (x86)\MacroCommander\Bin\WhoAmI.exe

Yes, it is also GUI-based whoami šŸ™‚

And this is just a tip of an iceberg…

The reason I write about all this is because some people like to say ‘the moment someone runs whoami.exe on one of your systems, this is an indication of early stages of compromise!’. Their confidence is built on ignorance. And yes, they may be right… yeah…but they are often very wrong…

Telemetry we deal with today is rich and useful, but threat hunting – as a discipline – is still in its early, naive stages. It’s healthy to assume that for every rule written, for every assumption, there is an exception that can be found and not only that — you will very often find it by combing telemetry generated by non-malicious sources…

What Champagne to drink?

Posted on by

Reading articles about criminals enjoying (I really hope they are not just flexing) drinking the emperor of all Champagnes aka Dom PĆ©rignon, makes me feel that they are potentially missing out on so many opportunities! Not only Dom PĆ©rignon is not the only champagne that is worth drinking, drinking the same champagne all the time is actually very boring, and let’s be honest – very uninspired. It’s also very self-limiting – c’mon… how do you know you are drinking a superb champagne if you cannot even compare it against others?

This short intro aims at making you a bit more curious about Champagne!

Personally, I’d suggest trying Veuve Clicquot (Yellow Label or Rose), it’s actually a favorite of mine. Price is usually around 4 times lower than Dom, but this champagne is simply fantastic:

Next, try MoĆ«t & Chandon – it’s another classic, very popular in UK and on cruises – in fairness though: while I can drink it, I must say this is not my favorite, BUT it it is still a very good champagne:

Another interesting champagne to try is Laurent Perrier Rose – mind you, it’s a very unusual taste, but I love it:

Winston Churchill’s favorite – Paul Roger – is actually not my cup of tea, as I find it a bit too sour for my taste, but apparently UK Tories love it, so it may be worth trying it, even if just to test if there is any bit of UK Tory in you (j/k). Jokes aside, it’s a really decent champagne!

Another one that is pretty good is Bollinger. Also known as the official James Bond champagne it is definitely one you should try (even if not my fav):

Tattinger is strange to me. Can’t put my finger on it, but I quite like it, and since I don’t know why, this is why I am recommending it:

Last, but not least — try Ruinart and Dom Ruinart. This brand is my totes and ultimate favorite, some even think it’s better than Dom PĆ©rignon and I kinda know why — when you drink it you may get that ‘feel’ of complexity that Dom PĆ©rignon is so famous for:

The other ‘super posh’ champagnes are:

  • Armand de Brignac Ace of Spades Champagne – it’s imho definitely overpriced and not worth it
  • Louis Roederer Cristal – decent, but not very inspiring
  • Louis Roederer <any other sub-brand> – again, not my cup of tea, because too much on an acidic side
  • Krug Champagne (including its Rose version) – the most intriguing champagne I have ever tasted; do not buy it until you tried a number of other champagnes first, just to fully understand why drinking this champagne it is one of the most exquisite experiences out there…

There are more, but let’s get you started! Serve them chilled, and drink responsibly! While we may all agree that Dom PĆ©rignon is the Cobalt Strike of champagnes, you can only know for sure if you can actually compare it against the others…

Last, but not least… many of these exquisite brands offer ‘vintage’ or ‘seasonal’ batches that are priced extra, so extra that it sometimes hits many thousands pounds sterling, per bottle. They are often marked by the year (f.ex. Dom PĆ©rignon 2012 or Veuve Clicquot Vintage 2012) to highlight an especially good harvest season. Some are just ‘special’ (aka more expensive) spin-offs f.ex. Veuve Clicquot Grande Dame that I actually don’t like at all. And some are just obvious celebrity trips/flexes (f.ex. Dom Perignon / Lady Gaga edition, Armand de Brignac Ace of Spades as a whole). I tried some of these and I don’t find them convincing enough. I think it’s just a marketing ploy, really, to squeeze us all out. Having said that, you may still want to get familiar with terms like ‘brut’, ‘cuvee’, ‘Blanc de Blancs’, ‘vintage’ vs. ‘non-vintage’ and at least recognize basic types of grapes f.ex. chardonnay (white) and pinot noir (red).

The funniest bit is that I am not a wine sommelier and I actually don’t drink much wine, because… I really don’t like it. I love Champagne though and I have no idea why. Although, I don’t think of it too much because I know what Napoleon, allegedly, said about it: In victory, you deserve champagne. In defeat, you need it. Could not agree more: we all deserve and need it.