HackTool - SharpLdapWhoami Execution

Severity: high
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1033` System Owner/User Discovery

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_name`

Image|endswith: '\SharpLdapWhoami.exe'

Stage 2: `1 of selection_pe`

or:
OriginalFileName|contains: SharpLdapWhoami
Product: SharpLdapWhoami

Stage 3: `1 of selection_flags1`

or:
CommandLine|endswith: ' /m:kerb'
CommandLine|endswith: ' /m:nego'
CommandLine|endswith: ' /m:ntlm'
CommandLine|endswith: ' /method:kerb'
CommandLine|endswith: ' /method:nego'
CommandLine|endswith: ' /method:ntlm'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	ends_with	`/m:kerb` `/m:nego` `/m:ntlm` `/method:kerb` `/method:nego` `/method:ntlm`
`Image`	ends_with	`\SharpLdapWhoami.exe` corpus 2 (sigma 2)
`OriginalFileName`	match	`SharpLdapWhoami`
`Product`	eq	`SharpLdapWhoami`