
Summary
The detection rule identifies the execution of SharpLdapWhoami, a tool employed for querying the LDAP service on a domain controller, which could be indicative of reconnaissance activities in a network environment. This rule focuses on monitoring the process creation events associated with the execution of the executable SharpLdapWhoami.exe. It utilizes specific patterns in the command-line arguments of the process to distinguish between legitimate and potentially malicious use. Detection is triggered when the process's image ends with SharpLdapWhoami.exe, or if the original file name or product name indicates its relationship to SharpLdapWhoami. Additionally, the rule looks for specific command line switches that are typical for the tool's operation. False positives may occur with other software using similar command-line flags, indicating that context or additional checks may be necessary for effective incident response. This rule helps organizations mitigate risks associated with unauthorized LDAP queries and assists in strengthening overall security posture by detecting tools commonly utilized by attackers for information gathering.
Categories
- Windows
- Network
- Application
Data Sources
- Process
Created: 2022-08-29