HackTool - SharpUp PrivEsc Tool Execution

Oct 23, 2025 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.discovery attack.execution attack.t1615 attack.t1569.002 attack.t1574.005 ·

Share on:

Detects the use of SharpUp, a tool for local privilege escalation

Sigma rule (View on GitHub)

 1title: HackTool - SharpUp PrivEsc Tool Execution
 2id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
 3status: test
 4description: Detects the use of SharpUp, a tool for local privilege escalation
 5references:
 6    - https://github.com/GhostPack/SharpUp
 7author: Florian Roth (Nextron Systems)
 8date: 2022-08-20
 9modified: 2023-02-13
10tags:
11    - attack.persistence
12    - attack.defense-evasion
13    - attack.privilege-escalation
14    - attack.discovery
15    - attack.execution
16    - attack.t1615
17    - attack.t1569.002
18    - attack.t1574.005
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        - Image|endswith: '\SharpUp.exe'
25        - Description: 'SharpUp'
26        - CommandLine|contains:
27              - 'HijackablePaths'
28              - 'UnquotedServicePath'
29              - 'ProcessDLLHijack'
30              - 'ModifiableServiceBinaries'
31              - 'ModifiableScheduledTask'
32              - 'DomainGPPPassword'
33              - 'CachedGPPPassword'
34    condition: selection
35falsepositives:
36    - Unknown
37level: critical

References

GitHub - GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.

SharpUp is a C# port of various PowerUp functionality. - GhostPack/SharpUp

Read More

HackTool - SharpUp PrivEsc Tool Execution

Sigma rule (View on GitHub)

References

GitHub - GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.

Related rules