HackTool - SharpMove Tool Execution

Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.

Sigma rule (View on GitHub)

 1title: HackTool - SharpMove Tool Execution
 2id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
 3status: test
 4description: |
 5        Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
 6references:
 7    - https://github.com/0xthirteen/SharpMove/
 8    - https://pentestlab.blog/tag/sharpmove/
 9author: Luca Di Bartolomeo (CrimpSec)
10date: 2024-01-29
11tags:
12    - attack.lateral-movement
13    - attack.t1021.002
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\SharpMove.exe'
20        - OriginalFileName: SharpMove.exe
21    selection_cli_computer:
22        # In its current implementation the "computername" flag is required in all actions
23        CommandLine|contains: 'computername='
24    selection_cli_actions:
25        CommandLine|contains:
26            - 'action=create'
27            - 'action=dcom'
28            - 'action=executevbs'
29            - 'action=hijackdcom'
30            - 'action=modschtask'
31            - 'action=modsvc'
32            - 'action=query'
33            - 'action=scm'
34            - 'action=startservice'
35            - 'action=taskscheduler'
36    condition: selection_img or all of selection_cli_*
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top