sigmahighHunting

HackTool - SharpLdapWhoami Execution

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

MITRE ATT&CK

discovery

Detection Query

selection_name:
  Image|endswith: \SharpLdapWhoami.exe
selection_pe:
  - OriginalFileName|contains: SharpLdapWhoami
  - Product: SharpLdapWhoami
selection_flags1:
  CommandLine|endswith:
    - " /method:ntlm"
    - " /method:kerb"
    - " /method:nego"
    - " /m:nego"
    - " /m:ntlm"
    - " /m:kerb"
condition: 1 of selection*

Author

Florian Roth (Nextron Systems)

Created

2022-08-29

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/bugch3ck/SharpLdapWhoami

Tags

attack.discoveryattack.t1033car.2016-03-001

Raw Content

title: HackTool - SharpLdapWhoami Execution
id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d
status: test
description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
references:
    - https://github.com/bugch3ck/SharpLdapWhoami
author: Florian Roth (Nextron Systems)
date: 2022-08-29
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1033
    - car.2016-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        Image|endswith: '\SharpLdapWhoami.exe'
    selection_pe: # in case the file has been renamed after compilation
        - OriginalFileName|contains: 'SharpLdapWhoami'
        - Product: 'SharpLdapWhoami'
    selection_flags1:
        CommandLine|endswith:
            - ' /method:ntlm'
            - ' /method:kerb'
            - ' /method:nego'
            - ' /m:nego'
            - ' /m:ntlm'
            - ' /m:kerb'
    condition: 1 of selection*
falsepositives:
    - Programs that use the same command line flags
level: high