HackTool - SharpDPAPI Execution
Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
Sigma rule (View on GitHub)
1title: HackTool - SharpDPAPI Execution
2id: c7d33b50-f690-4b51-8cfb-0fb912a31e57
3status: experimental
4description: |
5 Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
6 SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
7references:
8 - https://github.com/GhostPack/SharpDPAPI
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-06-26
11tags:
12 - attack.privilege-escalation
13 - attack.defense-evasion
14 - attack.t1134.001
15 - attack.t1134.003
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_img:
21 - Image|endswith: '\SharpDPAPI.exe'
22 - OriginalFileName: 'SharpDPAPI.exe'
23 selection_other_cli:
24 CommandLine|contains:
25 - ' backupkey '
26 - ' blob '
27 - ' certificates '
28 - ' credentials '
29 - ' keepass '
30 - ' masterkeys '
31 - ' rdg '
32 - ' vaults '
33 selection_other_options_guid:
34 CommandLine|contains|all:
35 - ' {'
36 - '}:'
37 selection_other_options_flags:
38 CommandLine|contains:
39 - ' /file:'
40 - ' /machine'
41 - ' /mkfile:'
42 - ' /password:'
43 - ' /pvk:'
44 - ' /server:'
45 - ' /target:'
46 - ' /unprotect'
47 condition: selection_img or (selection_other_cli and 1 of selection_other_options_*)
48falsepositives:
49 - Unknown
50level: high
References
Related rules
- HackTool - SharpImpersonation Execution
- Potential Access Token Abuse
- APT PRIVATELOG Image Load Pattern
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS