HackTool - SharpDPAPI Execution

 1title: HackTool - SharpDPAPI Execution
 2id: c7d33b50-f690-4b51-8cfb-0fb912a31e57
 3status: experimental
 4description: |
 5    Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
 6    SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.    
 7references:
 8    - https://github.com/GhostPack/SharpDPAPI
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-06-26
11tags:
12    - attack.privilege-escalation
13    - attack.defense-evasion
14    - attack.t1134.001
15    - attack.t1134.003
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection_img:
21        - Image|endswith: '\SharpDPAPI.exe'
22        - OriginalFileName: 'SharpDPAPI.exe'
23    selection_other_cli:
24        CommandLine|contains:
25            - ' backupkey '
26            - ' blob '
27            - ' certificates '
28            - ' credentials '
29            - ' keepass '
30            - ' masterkeys '
31            - ' rdg '
32            - ' vaults '
33    selection_other_options_guid:
34        CommandLine|contains|all:
35            - ' {'
36            - '}:'
37    selection_other_options_flags:
38        CommandLine|contains:
39            - ' /file:'
40            - ' /machine'
41            - ' /mkfile:'
42            - ' /password:'
43            - ' /pvk:'
44            - ' /server:'
45            - ' /target:'
46            - ' /unprotect'
47    condition: selection_img or (selection_other_cli and 1 of selection_other_options_*)
48falsepositives:
49    - Unknown
50level: high