HackTool - SharpView Execution
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Sigma rule (View on GitHub)
1title: HackTool - SharpView Execution
2id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
3related:
4 - id: dcd74b95-3f36-4ed9-9598-0490951643aa
5 type: similar
6status: test
7description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
8references:
9 - https://github.com/tevora-threat/SharpView/
10 - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
11 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
12author: frack113
13date: 2021/12/10
14modified: 2023/02/14
15tags:
16 - attack.discovery
17 - attack.t1049
18 - attack.t1069.002
19 - attack.t1482
20 - attack.t1135
21 - attack.t1033
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection:
27 - OriginalFileName: 'SharpView.exe'
28 - Image|endswith: '\SharpView.exe'
29 - CommandLine|contains:
30 # - 'Add-DomainGroupMember'
31 # - 'Add-DomainObjectAcl'
32 # - 'Add-ObjectAcl'
33 - 'Add-RemoteConnection'
34 - 'Convert-ADName'
35 - 'ConvertFrom-SID'
36 - 'ConvertFrom-UACValue'
37 - 'Convert-SidToName'
38 # - 'ConvertTo-SID'
39 - 'Export-PowerViewCSV'
40 # - 'Find-DomainLocalGroupMember'
41 - 'Find-DomainObjectPropertyOutlier'
42 - 'Find-DomainProcess'
43 - 'Find-DomainShare'
44 - 'Find-DomainUserEvent'
45 - 'Find-DomainUserLocation'
46 - 'Find-ForeignGroup'
47 - 'Find-ForeignUser'
48 - 'Find-GPOComputerAdmin'
49 - 'Find-GPOLocation'
50 - 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile'
51 - 'Find-LocalAdminAccess'
52 - 'Find-ManagedSecurityGroups'
53 # - 'Get-ADObject'
54 - 'Get-CachedRDPConnection'
55 - 'Get-DFSshare'
56 # - 'Get-DNSRecord'
57 # - 'Get-DNSZone'
58 # - 'Get-Domain'
59 - 'Get-DomainComputer'
60 - 'Get-DomainController'
61 - 'Get-DomainDFSShare'
62 - 'Get-DomainDNSRecord'
63 # - 'Get-DomainDNSZone'
64 - 'Get-DomainFileServer'
65 - 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser'
66 - 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping'
67 - 'Get-DomainGroup' # 'Get-DomainGroupMember'
68 - 'Get-DomainGUIDMap'
69 - 'Get-DomainManagedSecurityGroup'
70 - 'Get-DomainObject' # 'Get-DomainObjectAcl'
71 - 'Get-DomainOU'
72 - 'Get-DomainPolicy' # 'Get-DomainPolicyData'
73 - 'Get-DomainSID'
74 - 'Get-DomainSite'
75 - 'Get-DomainSPNTicket'
76 - 'Get-DomainSubnet'
77 - 'Get-DomainTrust' # 'Get-DomainTrustMapping'
78 # - 'Get-DomainUser'
79 - 'Get-DomainUserEvent'
80 # - 'Get-Forest'
81 - 'Get-ForestDomain'
82 - 'Get-ForestGlobalCatalog'
83 - 'Get-ForestTrust'
84 - 'Get-GptTmpl'
85 - 'Get-GroupsXML'
86 # - 'Get-GUIDMap'
87 # - 'Get-IniContent'
88 # - 'Get-IPAddress'
89 - 'Get-LastLoggedOn'
90 - 'Get-LoggedOnLocal'
91 - 'Get-NetComputer' # 'Get-NetComputerSiteName'
92 - 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust'
93 - 'Get-NetFileServer'
94 - 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust'
95 - 'Get-NetGPO' # 'Get-NetGPOGroup'
96 # - 'Get-NetGroup'
97 - 'Get-NetGroupMember'
98 - 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember'
99 - 'Get-NetLoggedon'
100 - 'Get-NetOU'
101 - 'Get-NetProcess'
102 - 'Get-NetRDPSession'
103 - 'Get-NetSession'
104 - 'Get-NetShare'
105 - 'Get-NetSite'
106 - 'Get-NetSubnet'
107 - 'Get-NetUser'
108 # - 'Get-ObjectAcl'
109 - 'Get-PathAcl'
110 - 'Get-PrincipalContext'
111 # - 'Get-Proxy'
112 - 'Get-RegistryMountedDrive'
113 - 'Get-RegLoggedOn'
114 # - 'Get-SiteName'
115 # - 'Get-UserEvent'
116 # - 'Get-WMIProcess'
117 - 'Get-WMIRegCachedRDPConnection'
118 - 'Get-WMIRegLastLoggedOn'
119 - 'Get-WMIRegMountedDrive'
120 - 'Get-WMIRegProxy'
121 - 'Invoke-ACLScanner'
122 - 'Invoke-CheckLocalAdminAccess'
123 - 'Invoke-Kerberoast'
124 - 'Invoke-MapDomainTrust'
125 - 'Invoke-RevertToSelf'
126 - 'Invoke-Sharefinder'
127 - 'Invoke-UserImpersonation'
128 # - 'New-DomainGroup'
129 # - 'New-DomainUser'
130 - 'Remove-DomainObjectAcl'
131 - 'Remove-RemoteConnection'
132 - 'Request-SPNTicket'
133 # - 'Resolve-IPAddress'
134 # - 'Set-ADObject'
135 - 'Set-DomainObject'
136 # - 'Set-DomainUserPassword'
137 - 'Test-AdminAccess'
138 condition: selection
139falsepositives:
140 - Unknown
141level: high
References
-
C# implementation of harmj0y's PowerView. Contribute to tevora-threat/SharpView development by creating an account on GitHub.
Read More -
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- PUA - AdFind Suspicious Execution
- Potential Active Directory Reconnaissance/Enumeration Via LDAP
- HackTool - Bloodhound/Sharphound Execution
- Renamed AdFind Execution
- Potential Dridex Activity