HackTool - SharpLDAPmonitor Execution
Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
Sigma rule (View on GitHub)
1title: HackTool - SharpLDAPmonitor Execution
2id: 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541
3status: test
4description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
5references:
6 - https://github.com/p0dalirius/LDAPmonitor
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-12-30
9modified: 2023-02-14
10tags:
11 - attack.discovery
12logsource:
13 product: windows
14 category: process_creation
15detection:
16 selection_img:
17 - Image|endswith: '\SharpLDAPmonitor.exe'
18 - OriginalFileName: 'SharpLDAPmonitor.exe'
19 selection_cli:
20 CommandLine|contains|all:
21 - '/user:'
22 - '/pass:'
23 - '/dcip:'
24 condition: 1 of selection_*
25falsepositives:
26 - Unknown
27level: medium
References
-
Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration! - GitHub - p0dalirius/LDAPmonitor: Monitor creation, deletion and changes to LDAP objects ...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- AD Privileged Users or Groups Reconnaissance