HackTool - SharpChisel Execution
Detects usage of the Sharp Chisel via the commandline arguments
Sigma rule (View on GitHub)
1title: HackTool - SharpChisel Execution
2id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
3related:
4 - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
5 type: similar
6status: test
7description: Detects usage of the Sharp Chisel via the commandline arguments
8references:
9 - https://github.com/shantanu561993/SharpChisel
10 - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-09-05
13modified: 2023-02-13
14tags:
15 - attack.command-and-control
16 - attack.t1090.001
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 - Image|endswith: '\SharpChisel.exe'
23 - Product: 'SharpChisel'
24 # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage
25 condition: selection
26falsepositives:
27 - Unlikely
28level: high
References
-
C# Wrapper around Chisel from https://github.com/jpillora/chisel - shantanu561993/SharpChisel
Read More -
MuddyWater APT's updated toolkit: an evolution of PowGoop malware, abuse of tunneling tools, and targeting of Exchange servers. MuddyWater's activities are attributed to the Iranian Ministry of Intelligence by U.S. Cyber Command.
Read More
Related rules
- PUA - Chisel Tunneling Tool Execution
- RDP over Reverse SSH Tunnel WFP
- ADSI-Cache File Creation By Uncommon Tool
- APT User Agent
- APT40 Dropbox Tool User Agent