HackTool - SharpLdapWhoami Execution

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

Sigma rule (View on GitHub)

 1title: HackTool - SharpLdapWhoami Execution
 2id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d
 3status: test
 4description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
 5references:
 6    - https://github.com/bugch3ck/SharpLdapWhoami
 7author: Florian Roth (Nextron Systems)
 8date: 2022/08/29
 9modified: 2023/02/04
10tags:
11    - attack.discovery
12    - attack.t1033
13    - car.2016-03-001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_name:
19        Image|endswith: '\SharpLdapWhoami.exe'
20    selection_pe: # in case the file has been renamed after compilation
21        - OriginalFileName|contains: 'SharpLdapWhoami'
22        - Product: 'SharpLdapWhoami'
23    selection_flags1:
24        CommandLine|endswith:
25            - ' /method:ntlm'
26            - ' /method:kerb'
27            - ' /method:nego'
28            - ' /m:nego'
29            - ' /m:ntlm'
30            - ' /m:kerb'
31    condition: 1 of selection*
32falsepositives:
33    - Programs that use the same command line flags
34level: high

References

Related rules

to-top