This detection rule focuses on identifying instances of the execution of the 'whoami.exe' command on Windows systems, specifically when it is run with the '/FO' flag indicating CSV format output or through redirection options that direct the command's output to a file. The rule captures two main forms of the execution: whether the command ends with 'whoami.exe' or includes the specified command line options indicating output formatting. The logic combines conditions to ensure that at least one of the main execution forms or the special command line with redirection is present. This is notable due to the command's use in potential reconnaissance or data exfiltration activities, as capturing system or user identity information in structured formats could be leveraged by attackers for nefarious purposes. The rule is intended for integration into a security monitoring framework, alerting on this behavior to facilitate timely incident response and forensic investigation. It is categorized under process creation and applicable to Windows environments.