This detection rule focuses on identifying malicious activity by detecting the execution of the 'whoami' command when it has been renamed to avoid detection. In many cyber attacks, reconnaissance tools like 'whoami' are often misused by threat actors to gather information about the local system, such as user privileges and network configuration. By renaming this executable to an arbitrary name, attackers may attempt to bypass security mechanisms that monitor for typical behavior. This rule specifically looks for the process creation events where the original file name is 'whoami.exe'. It uses a filtering condition to confirm that the execution is indeed related to a renamed 'whoami' to maintain awareness of potentially malicious activity. The rule is considered critical due to its relevance in detecting potentially harmful reconnaissance efforts on a Windows environment.