HackTool - SharpChisel Execution
Detects usage of the Sharp Chisel via the commandline arguments
Sigma rule (View on GitHub)
1title: HackTool - SharpChisel Execution
2id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
3related:
4 - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
5 type: similar
6status: test
7description: Detects usage of the Sharp Chisel via the commandline arguments
8references:
9 - https://github.com/shantanu561993/SharpChisel
10 - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-09-05
13modified: 2023-02-13
14tags:
15 - attack.command-and-control
16 - attack.t1090.001
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 - Image|endswith: '\SharpChisel.exe'
23 - Product: 'SharpChisel'
24 # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage
25 condition: selection
26falsepositives:
27 - Unlikely
28level: high
References
Related rules
- Cloudflared Portable Execution
- Cloudflared Quick Tunnel Execution
- PUA - Chisel Tunneling Tool Execution
- RDP over Reverse SSH Tunnel WFP
- Renamed Cloudflared.EXE Execution