HackTool - SharpImpersonation Execution

Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Sigma rule (View on GitHub)

 1title: HackTool - SharpImpersonation Execution
 2id: f89b08d0-77ad-4728-817b-9b16c5a69c7a
 3related:
 4    - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
 5      type: similar
 6status: test
 7description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
 8references:
 9    - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
10    - https://github.com/S3cur3Th1sSh1t/SharpImpersonation
11author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
12date: 2022-12-27
13modified: 2023-02-13
14tags:
15    - attack.privilege-escalation
16    - attack.defense-evasion
17    - attack.t1134.001
18    - attack.t1134.003
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection_img:
24        - Image|endswith: '\SharpImpersonation.exe'
25        - OriginalFileName: 'SharpImpersonation.exe'
26    selection_cli:
27        - CommandLine|contains|all:
28              - ' user:'
29              - ' binary:'
30        - CommandLine|contains|all:
31              - ' user:'
32              - ' shellcode:'
33        - CommandLine|contains:
34              - ' technique:CreateProcessAsUserW'
35              - ' technique:ImpersonateLoggedOnuser'
36    condition: 1 of selection_*
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top