LoFP / programs that use the same command line flags

Techniques

t1033

Sample rules

HackTool - SharpLdapWhoami Execution

source: sigma
technicques:
- t1033

Description

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

Detection logic

condition: 1 of selection*
selection_flags1:
  CommandLine|endswith:
  - ' /method:ntlm'
  - ' /method:kerb'
  - ' /method:nego'
  - ' /m:nego'
  - ' /m:ntlm'
  - ' /m:kerb'
selection_name:
  Image|endswith: \SharpLdapWhoami.exe
selection_pe:
- OriginalFileName|contains: SharpLdapWhoami
- Product: SharpLdapWhoami