HackTool - SharpImpersonation Execution
Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
Sigma rule (View on GitHub)
1title: HackTool - SharpImpersonation Execution
2id: f89b08d0-77ad-4728-817b-9b16c5a69c7a
3related:
4 - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
5 type: similar
6status: test
7description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
8references:
9 - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
10 - https://github.com/S3cur3Th1sSh1t/SharpImpersonation
11author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
12date: 2022/12/27
13modified: 2023/02/13
14tags:
15 - attack.privilege_escalation
16 - attack.defense_evasion
17 - attack.t1134.001
18 - attack.t1134.003
19logsource:
20 product: windows
21 category: process_creation
22detection:
23 selection_img:
24 - Image|endswith: '\SharpImpersonation.exe'
25 - OriginalFileName: 'SharpImpersonation.exe'
26 selection_cli:
27 - CommandLine|contains|all:
28 - ' user:'
29 - ' binary:'
30 - CommandLine|contains|all:
31 - ' user:'
32 - ' shellcode:'
33 - CommandLine|contains:
34 - ' technique:CreateProcessAsUserW'
35 - ' technique:ImpersonateLoggedOnuser'
36 condition: 1 of selection_*
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- HackTool - Impersonate Execution
- HackTool - LocalPotato Execution
- PUA - AdvancedRun Execution
- PUA - AdvancedRun Suspicious Execution
- Potential PrintNightmare Exploitation Attempt