HackTool - SharpUp PrivEsc Tool Execution

Detects the use of SharpUp, a tool for local privilege escalation

Sigma rule (View on GitHub)

 1title: HackTool - SharpUp PrivEsc Tool Execution
 2id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
 3status: test
 4description: Detects the use of SharpUp, a tool for local privilege escalation
 5references:
 6    - https://github.com/GhostPack/SharpUp
 7author: Florian Roth (Nextron Systems)
 8date: 2022-08-20
 9modified: 2023-02-13
10tags:
11    - attack.privilege-escalation
12    - attack.t1615
13    - attack.t1569.002
14    - attack.t1574.005
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - Image|endswith: '\SharpUp.exe'
21        - Description: 'SharpUp'
22        - CommandLine|contains:
23              - 'HijackablePaths'
24              - 'UnquotedServicePath'
25              - 'ProcessDLLHijack'
26              - 'ModifiableServiceBinaries'
27              - 'ModifiableScheduledTask'
28              - 'DomainGPPPassword'
29              - 'CachedGPPPassword'
30    condition: selection
31falsepositives:
32    - Unknown
33level: critical

References

Related rules

to-top