HackTool - SharPersist Execution
Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
Sigma rule (View on GitHub)
1title: HackTool - SharPersist Execution
2id: 26488ad0-f9fd-4536-876f-52fea846a2e4
3status: test
4description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
5references:
6 - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
7 - https://github.com/mandiant/SharPersist
8author: Florian Roth (Nextron Systems)
9date: 2022/09/15
10modified: 2023/02/04
11tags:
12 - attack.persistence
13 - attack.t1053
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\SharPersist.exe'
20 - Product: 'SharPersist'
21 selection_cli_1:
22 CommandLine|contains:
23 - ' -t schtask -c '
24 - ' -t startupfolder -c '
25 selection_cli_2:
26 CommandLine|contains|all:
27 - ' -t reg -c '
28 - ' -m add'
29 selection_cli_3:
30 CommandLine|contains|all:
31 - ' -t service -c '
32 - ' -m add'
33 selection_cli_4:
34 CommandLine|contains|all:
35 - ' -t schtask -c '
36 - ' -m add'
37 condition: 1 of selection_*
38falsepositives:
39 - Unknown
40level: high
References
-
Background PowerShell has been used by the offensive community for several years now but recent advances in the defensive security industry are causing offensive toolkits to migrate from PowerShell...
Read More -
Related rules
- HAFNIUM Exchange Exploitation Activity
- HackTool - CrackMapExec Execution
- Scheduled TaskCache Change by Uncommon Program
- Defrag Deactivation - Security
- Potential ACTINIUM Persistence Activity