HackTool - SharpUp PrivEsc Tool Execution

Jan 1, 2024 · attack.privilege_escalation attack.t1615 attack.t1569.002 attack.t1574.005 ·

Detects the use of SharpUp, a tool for local privilege escalation

Sigma rule (View on GitHub)

 1title: HackTool - SharpUp PrivEsc Tool Execution
 2id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
 3status: test
 4description: Detects the use of SharpUp, a tool for local privilege escalation
 5references:
 6    - https://github.com/GhostPack/SharpUp
 7author: Florian Roth (Nextron Systems)
 8date: 2022/08/20
 9modified: 2023/02/13
10tags:
11    - attack.privilege_escalation
12    - attack.t1615
13    - attack.t1569.002
14    - attack.t1574.005
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - Image|endswith: '\SharpUp.exe'
21        - Description: 'SharpUp'
22        - CommandLine|contains:
23              - 'HijackablePaths'
24              - 'UnquotedServicePath'
25              - 'ProcessDLLHijack'
26              - 'ModifiableServiceBinaries'
27              - 'ModifiableScheduledTask'
28              - 'DomainGPPPassword'
29              - 'CachedGPPPassword'
30    condition: selection
31falsepositives:
32    - Unknown
33level: critical

References

GitHub - GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.

SharpUp is a C# port of various PowerUp functionality. - GhostPack/SharpUp

Read More

HackTool - SharpUp PrivEsc Tool Execution

Sigma rule (View on GitHub)

References

GitHub - GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.

Related rules