HackTool - SharpImpersonation Execution
Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
Sigma rule (View on GitHub)
1title: HackTool - SharpImpersonation Execution
2id: f89b08d0-77ad-4728-817b-9b16c5a69c7a
3related:
4 - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
5 type: similar
6status: test
7description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
8references:
9 - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
10 - https://github.com/S3cur3Th1sSh1t/SharpImpersonation
11author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
12date: 2022-12-27
13modified: 2023-02-13
14tags:
15 - attack.privilege-escalation
16 - attack.defense-evasion
17 - attack.t1134.001
18 - attack.t1134.003
19logsource:
20 product: windows
21 category: process_creation
22detection:
23 selection_img:
24 - Image|endswith: '\SharpImpersonation.exe'
25 - OriginalFileName: 'SharpImpersonation.exe'
26 selection_cli:
27 - CommandLine|contains|all:
28 - ' user:'
29 - ' binary:'
30 - CommandLine|contains|all:
31 - ' user:'
32 - ' shellcode:'
33 - CommandLine|contains:
34 - ' technique:CreateProcessAsUserW'
35 - ' technique:ImpersonateLoggedOnuser'
36 condition: 1 of selection_*
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- HackTool - SharpDPAPI Execution
- Potential Access Token Abuse
- APT PRIVATELOG Image Load Pattern
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS