HackTool - SharpMove Tool Execution
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
Sigma rule (View on GitHub)
1title: HackTool - SharpMove Tool Execution
2id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
3status: test
4description: |
5 Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
6references:
7 - https://github.com/0xthirteen/SharpMove/
8 - https://pentestlab.blog/tag/sharpmove/
9author: Luca Di Bartolomeo (CrimpSec)
10date: 2024-01-29
11tags:
12 - attack.lateral-movement
13 - attack.t1021.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\SharpMove.exe'
20 - OriginalFileName: SharpMove.exe
21 selection_cli_computer:
22 # In its current implementation the "computername" flag is required in all actions
23 CommandLine|contains: 'computername='
24 selection_cli_actions:
25 CommandLine|contains:
26 - 'action=create'
27 - 'action=dcom'
28 - 'action=executevbs'
29 - 'action=hijackdcom'
30 - 'action=modschtask'
31 - 'action=modsvc'
32 - 'action=query'
33 - 'action=scm'
34 - 'action=startservice'
35 - 'action=taskscheduler'
36 condition: selection_img or all of selection_cli_*
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- Access To ADMIN$ Network Share
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe