HackTool - SharpUp PrivEsc Tool Execution

Apr 25, 2025 · attack.privilege-escalation attack.discovery attack.execution attack.t1615 attack.t1569.002 attack.t1574.005 ·

Share on:

Detects the use of SharpUp, a tool for local privilege escalation

Sigma rule (View on GitHub)

 1title: HackTool - SharpUp PrivEsc Tool Execution
 2id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
 3status: test
 4description: Detects the use of SharpUp, a tool for local privilege escalation
 5references:
 6    - https://github.com/GhostPack/SharpUp
 7author: Florian Roth (Nextron Systems)
 8date: 2022-08-20
 9modified: 2023-02-13
10tags:
11    - attack.privilege-escalation
12    - attack.discovery
13    - attack.execution
14    - attack.t1615
15    - attack.t1569.002
16    - attack.t1574.005
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        - Image|endswith: '\SharpUp.exe'
23        - Description: 'SharpUp'
24        - CommandLine|contains:
25              - 'HijackablePaths'
26              - 'UnquotedServicePath'
27              - 'ProcessDLLHijack'
28              - 'ModifiableServiceBinaries'
29              - 'ModifiableScheduledTask'
30              - 'DomainGPPPassword'
31              - 'CachedGPPPassword'
32    condition: selection
33falsepositives:
34    - Unknown
35level: critical

References

GitHub - GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.

SharpUp is a C# port of various PowerUp functionality. - GhostPack/SharpUp

Read More

HackTool - SharpUp PrivEsc Tool Execution

Sigma rule (View on GitHub)

References

GitHub - GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.

Related rules